Debian Bug report logs - #781063
commons-httpclient: should be removed from Debian during the Stretch release cycle

version graph

Package: src:commons-httpclient; Maintainer for src:commons-httpclient is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Markus Koschany <apo@gambaru.de>

Date: Mon, 23 Mar 2015 23:27:01 UTC

Severity: important

Found in version commons-httpclient/3.1-10.2

Fix blocked by 800990: jakarta-jmeter: depends on obsolete libcommons-httpclient-java library, 800988: jabsorb: depends on obsolete libcommons-httpclient-java library, 800991: jets3t: depends on obsolete libcommons-httpclient-java library, 800994: axis: depends on obsolete libcommons-httpclient-java library, 801000: commons-vfs: depends on obsolete libcommons-httpclient-java library, 800986: libowasp-antisamy-java: depends on obsolete libcommons-httpclient-java library, 801004: jenkins-json: depends on obsolete libcommons-httpclient-java library, 800975: ant-contrib: depends on obsolete libcommons-httpclient-java library

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, apo@gambaru.de, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#781063; Package src:commons-httpclient. (Mon, 23 Mar 2015 23:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@gambaru.de>:
New Bug report received and forwarded. Copy sent to apo@gambaru.de, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 23 Mar 2015 23:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: commons-httpclient: should be removed from Debian during the Stretch release cycle
Date: Tue, 24 Mar 2015 00:23:36 +0100
Source: commons-httpclient
Version: 3.1-10.2
Severity: important

Quoting https://hc.apache.org/httpclient-3.x/

"The Commons HttpClient project is now end of life, and is no longer
being developed. It has been replaced by the Apache HttpComponents
project in its HttpClient and HttpCore modules, which offer better
performance and more flexibility."

I think it would be best to retire this library during the Stretch
release cycle and to switch all reverse-dependencies to

https://packages.qa.debian.org/h/httpcomponents-client.html

The current list of r-deps:

Reverse-Build-Depends-Indep
===========================
* activemq
* ant-contrib
* biomaj
* commons-vfs
* ivy
* jajuk
* jakarta-jmeter
* jenkins
* jenkins-htmlunit
* jenkins-json
* jftp
* jspwiki
* libexml-java
* libjboss-common-java
* libowasp-antisamy-java
* libreoffice
* libspring-java
* maven-docck-plugin
* mule
* openid4java
* wagon
* wagon2

Reverse-Build-Depends
=====================
* axis
* eclipse
* jabsorb
* jackrabbit
* jets3t
* libopenws-java
* libxmlrpc3-java
* lucene-solr
* not-yet-commons-ssl
* spring-build
* triplea
* wsdl2c

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#781063; Package src:commons-httpclient. (Tue, 24 Mar 2015 11:33:07 GMT) (full text, mbox, link).

Acknowledgement sent to Emmanuel Bourg <ebourg@apache.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 24 Mar 2015 11:33:07 GMT) (full text, mbox, link).

Message #10 received at 781063@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: Markus Koschany <apo@gambaru.de>, 781063@bugs.debian.org
Subject: Re: Bug#781063: commons-httpclient: should be removed from Debian during the Stretch release cycle
Date: Tue, 24 Mar 2015 12:30:06 +0100
I don't think this is a good idea. commons-httpclient is a very popular
library, even in its older incarnation. Removing it could make it harder
to bring new libraries or applications to Debian.

Emmanuel Bourg

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#781063; Package src:commons-httpclient. (Tue, 24 Mar 2015 11:54:10 GMT) (full text, mbox, link).

Acknowledgement sent to Markus Koschany <apo@gambaru.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 24 Mar 2015 11:54:10 GMT) (full text, mbox, link).

Message #15 received at 781063@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@gambaru.de>
To: 781063@bugs.debian.org
Subject: Re: Bug#781063: commons-httpclient: should be removed from Debian during the Stretch release cycle
Date: Tue, 24 Mar 2015 12:51:04 +0100
[Message part 1 (text/plain, inline)]
On 24.03.2015 12:30, Emmanuel Bourg wrote:
> I don't think this is a good idea. commons-httpclient is a very popular
> library, even in its older incarnation. Removing it could make it harder
> to bring new libraries or applications to Debian.
> 

Hi,

well, this contradicts what Debian already recommends to users. The
package description of libhttpclient-java states:

"HttpComponents Client is a successor of and replacement for Commons
HttpClient 3.x. Users of Commons HttpClient are strongly encouraged to
upgrade."

It will be much harder in the future to fix security issues when there
is no upstream support and apparently commons-httpclient won't be
developed anymore in favor of libhttpclient-java and Co. The
dependencies should be changed whenever possible to the new and
maintained implementation because this is what we do for all libraries
and applications across the distribution. There will be cases where it
is not as simple but at least we should try to reduce the security risk
and maintenance burden.

Regards,

Markus



[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#781063; Package src:commons-httpclient. (Mon, 13 Apr 2015 16:30:09 GMT) (full text, mbox, link).

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Mon, 13 Apr 2015 16:30:09 GMT) (full text, mbox, link).

Message #20 received at 781063@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>
To: Emmanuel Bourg <ebourg@apache.org>
Cc: 781063@bugs.debian.org
Subject: Re: Bug#781063: commons-httpclient: should be removed from Debian during the Stretch release cycle
Date: Mon, 13 Apr 2015 18:27:19 +0200
[Message part 1 (text/plain, inline)]
Hi Emmanuel,

On 24.03.2015 12:30, Emmanuel Bourg wrote:
> I don't think this is a good idea. commons-httpclient is a very popular
> library, even in its older incarnation. Removing it could make it harder
> to bring new libraries or applications to Debian.

This could be the case, however, the package has not seen maintainer uploads 
in a very long time and has a number of issues. Security issues went 
unaddressed for months. If it's important to keep it, it should be well-
maintained.


Cheers,
Thijs

[signature.asc (application/pgp-signature, inline)]

Added blocking bug(s) of 781063: 800971 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:03 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800972 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:05 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800973 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:07 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800974 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:08 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800975 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:10 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800976 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:12 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800977 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:14 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800978 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:15 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800979 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:17 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800980 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:19 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800981 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:21 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800982 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:22 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800983 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:24 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800984 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:26 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800985 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:28 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800986 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:29 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800987 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:31 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800988 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:33 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800989 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:35 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800990 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:37 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800991 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:38 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800993 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:40 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800994 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:42 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800995 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:43 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800996 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:45 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800997 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:47 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800998 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:48 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800999 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:50 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 801000 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:52 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 801002 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:54 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 801003 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:55 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 801004 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:57 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 800992 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:42:59 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 801001 Request was from Markus Koschany <apo@gambaru.de> to control@bugs.debian.org. (Mon, 05 Oct 2015 17:51:16 GMT) (full text, mbox, link).

Added blocking bug(s) of 781063: 917175 Request was from Markus Koschany <apo@debian.org> to control@bugs.debian.org. (Sun, 23 Dec 2018 17:36:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Jul 1 13:50:23 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.