Re: RC exception for net/py-twisted

To: Jonathan Schleifer <js%nil.im@localhost>
Subject: Re: RC exception for net/py-twisted
From: Thomas Klausner <wiz%gatalith.at@localhost>
Date: Sun, 11 Aug 2024 08:22:21 +0200

On Sat, Aug 10, 2024 at 02:57:39PM +0200, Jonathan Schleifer wrote:
> Hi!
> 
> It seems that for net/py-twisted, there is a security issue which was fixed
> 2 weeks ago, but only in an RC. Some software such as chat/matrix-synapse
> have hence updated their dependency to require the rc1.
> 
> I know we usually don't update software to RCs, but I'd like to propose that
> we make an exception for net/py-twisted, as they document that they do not
> do security releases:
> 
> > We don’t do maintenance / patch releases, including for security issues,
> due to lack of resources.
> 
> So because of that, they have released an rc1 2 weeks ago. But there is
> still no stable release with the fix. According to
> 
> https://github.com/twisted/twisted/issues/12271
> 
> this is because they don't have time to do enough testing so just want to
> keep the rc1 for a while.
> 
> With that in mind, I think it's fair to say that it's an upstream which is
> broken enough to allow RCs in pkgsrc. I'd rather have an rc1 than a release
> with known security issues that are trivial to exploit. For the stable
> branches, that of course is problematic, but I'd be nice to at least have
> the rc1 in trunk to fix this.
> 
> Opinions?

Please go ahead.
 Thomas

References:
- RC exception for net/py-twisted
  - From: Jonathan Schleifer

Prev by Date: thunderbird fails to build
Next by Date: Re: Getting the version of an installed dependency?
Previous by Thread: RC exception for net/py-twisted
Next by Thread: Re: RC exception for net/py-twisted
Indexes:

Home | Main Index | Thread Index | Old Index