Control: severity -1 important On 25.07.2016 13:11, Markus Frosch wrote: > Hey all, > this is a interesting problem, while looking on the 3 dependent packages. > (see below) > > We have 3 choices to go on: > > 1. Still provide zendframework 1 in a separated path, so it won't conflict > with ZF2/3 > 2. Embed needed code into the packages, and drop the full library > 3. Remove all 3 packages from stretch > > I'd prefer to go with #1, there should not be any major security issues in > the future with the code base. > > And if so, we should be able to tackle them. > > I would love to hear the opinion of the security team on the matter. > > Regards > Markus > > > ## icingaweb2 > > The integrations of Zend in terms of controllers/templates is not that big of > a problem. Zend_Form is integrated tightly into the application. > > Any adaption to ZF2/3 will need rewriting, that is not simple and certainly > not a drop-in replacement in terms of functionality. > > ## postfixadmin > > Zend_Xmlrpc_Server is used to provide API functionality, this is not a must > for the package. > > But adapting to ZF2/3 will cause rewriting the XMLRPC interface. > > ## php-letodms-lucene > > The package is relying on Zend_Search_Lucene to index documents and search > them. > > A removal of ZF1 will cause massive problems here. Question is: who uses the > package?
Until I hear other DDs opinion on my thoughts, I'd prefer not to remove zendframework from Debian. Downgrading bug to important. David: What do you think? ZF2+3 is not a drop-in replacement for ZF1. Cheers Markus Frosch -- mar...@lazyfrosch.de / lazyfro...@debian.org http://www.lazyfrosch.de
signature.asc
Description: OpenPGP digital signature