Package: ftp.debian.org Severity: normal X-Debbugs-Cc: r...@debian.org I'm the former maintainer of the webauth package, which provides an Apache-based web single sign-on system. I maintained the software as upstream when I worked for Stanford University.
Stanford chose to replace the software after I left with Shibboleth and has done no further work on it. At this point, it's unlikely that anyone will pick up maintenance. Since this is a security package with some known protocol flaws (including lack of hash agility and use of SHA-1), I don't feel comfortable continuing to include it in Debian. I don't think anyone is in a good position to provide security support for it. It currently has a fixable RC bug due to running perlcritic during the build, so is not present in testing.
