Hi tony, Am Sonntag, dem 15.05.2022 um 11:17 -0700 schrieb tony mancill:
> [...] > Any thoughts? It's a tad messy either way, but using current versions > simplifies the porting of patches. I haven't investigated the CVE closely enough but the current reverse- dependencies in Bullseye don't seem to be severely affected by it. bazel- bootstrap and libgoogle-api-client-java are more like leaf packages unless we take openrefine in bullseye-backports into consideration as well. We could also mark the CVE as ignored for Bullseye because of the minor impact, or just upload the new google-http-client-java package to bullseye after approval by the release team and then update google-oauth-java-client as well. We just have to check if this breaks the two other packages in Bullseye (bazel- bootstrap and google-api-client-java). So yes, a newer upstream version is fine, if it does not break any existing packages and there is no other way or the alternative would be way too time consuming and inconvenient. Cheers, Markus
signature.asc
Description: This is a digitally signed message part
__ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.