Hi, On Fri, Nov 10, 2023 at 10:05:44AM +0100, Pierre Gruet wrote: > Hi Salvatore, > > I am doing some QA overseeeing, I am not the maintainer of i2p. I NMUed it > one year and a half ago, nothing has happened since then. > > On Sun, 06 Aug 2023 21:26:51 +0200 Salvatore Bonaccorso <car...@debian.org> > wrote: > > Source: i2p > > Version: 0.9.48-1.1 > > Tags: security upstream > > Justification: user security hole > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for i2p. > > > > CVE-2023-36325[0]: > > | Attackers can de-anonymize i2p hidden services with a message replay > > | attack > > > > Should i2p be removed from unstable? > > - I feel fixing the CVE would require packaging last upstream version (which > fixed it), Debian version is far behind it, upstream has changed its build > system so a simple NMU is not the solution; > - I don't feel the maintainer still has interest into this package, which he > has not touched for 3 years; > - There is another RC bug #1031817 needing being worked on, upstream has not > addressed it yet; > - i2p has not been in a Debian release since buster; > - its popcon is quickly decreasing; > - there is only one rdep, syndie, with the same maintainer, it has not seen > an upload in 4 years and has a near-zero popcon. > > I would indeed suggest removing the package and syndie (RoQA) after letting > some time to the maintainer to respond. Keeping these two packages in > unstable seems only harmful right now. > > What do you think?
I agree on this course of action, by now I believe it is the best thing to not have the package in unstable neither, unless it get rebased to a new upstream version (including addressing this CVE). That said syndie is as well maintained by Masayuki Hatta <mha...@debian.org>. Bcc'ing the maintainer with some known email addresses. Regards, Salvatore