On Tue, Jun 18, 2019 at 05:35:55PM +1000, Dmitry Smirnov wrote:
> I would reclassify those vulnerabilities with lesser severity to avoid
> removal from Buster.
That's certainly possible, but there's still the bigger issue that the
projects seems unmaintained. None of the developers even acknowledged
the report for three weeks. So what's going to happen if there's a severe
issue in rkt? Is there a fork or someone left who's picking this up?
Do you or anyone else in the maintainers feel comfortable to write patches
in the absense of upstream development?
Cheers,
Moritz
