Source: xcftools Version: 1.0.7-6 Severity: serious Justification: dead upstream, not fit for stable release X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi xcftools is at it looks dead upstream and on the last security issues reported (CVE-2019-5086 CVE-2019-5087, #945317) there never was an upstream reaction. Ideally in this form xcftools is not to be shipped in bullseye and later, but there are some issues to be resolved: castle-game-engine: xcftools game-data-packager/contrib: xcftools neurodebian: xcftools build-depend on it and it seems mostly for xcf2png calling, which can probably be replaced with an imagemagick convert call. I will fill bugs (with RC severity) after checking with the release team (Ivo De Decker), for the three reverse build dependencies initially with RC severity to investigate the switch from xcftools: [22:21] < ivodd> carnil: I suggest you file serious bugs against the 3 rdeps asking them to switch [22:21] < ivodd> if it's as easy as it looks from the bug report, it shouldn't be a big issue [22:21] < ivodd> if it turn out it's more complicated, we can still revisit the issue if it turns out to not be feasible we later on can revisit the severity and postpone it for bookworm. Regards, Salvatore