RC exception for net/py-twisted

To: tech-pkg%netbsd.org@localhost
Subject: RC exception for net/py-twisted
From: Jonathan Schleifer <js%nil.im@localhost>
Date: Sat, 10 Aug 2024 14:57:39 +0200

Hi!

It seems that for net/py-twisted, there is a security issue which wasfixed 2 weeks ago, but only in an RC. Some software such aschat/matrix-synapse have hence updated their dependency to require the rc1.

I know we usually don't update software to RCs, but I'd like to proposethat we make an exception for net/py-twisted, as they document that theydo not do security releases:

> We don’t do maintenance / patch releases, including for securityissues, due to lack of resources.

So because of that, they have released an rc1 2 weeks ago. But there isstill no stable release with the fix. According to


https://github.com/twisted/twisted/issues/12271

this is because they don't have time to do enough testing so just wantto keep the rc1 for a while.

With that in mind, I think it's fair to say that it's an upstream whichis broken enough to allow RCs in pkgsrc. I'd rather have an rc1 than arelease with known security issues that are trivial to exploit. For thestable branches, that of course is problematic, but I'd be nice to atleast have the rc1 in trunk to fix this.


Opinions?

--
Jonathan

Follow-Ups:
- Re: RC exception for net/py-twisted
  - From: Greg Troxel
- Re: RC exception for net/py-twisted
  - From: Thomas Klausner

Prev by Date: Getting the version of an installed dependency?
Next by Date: thunderbird fails to build
Previous by Thread: Getting the version of an installed dependency?
Next by Thread: Re: RC exception for net/py-twisted
Indexes:

Home | Main Index | Thread Index | Old Index