Discussion:
Bug#1093577: dnssecjava: New upstream version (needs new dependency)
Add Reply
Andreas Tille
2025-01-20 06:40:01 UTC
Reply
Permalink
Source: dnssecjava
Version: 1.1.3-3
Severity: wishlist

Hi,

I tried to upgrade dnssecjava to the latest upstream version (2.0.0) in Git
but it fails to build due to a new Build-Depends as you can see in Salsa CI[1]:

Cannot access central (https://repo.maven.apache.org/maven2) in offline mode and the artifact com.coveo:fmt-maven-plugin:jar:2.9 has not been downloaded from it before.

It would be nice to upgrade to the latest upstream version but it seems
fmt-maven-plugin[2] needs to be packaged before.

Kind regards
Andreas.

[1] https://salsa.debian.org/java-team/dnssecjava/-/jobs/6953697
[2] https://central.sonatype.com/artifact/com.coveo/fmt-maven-plugin

-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (50, 'buildd-unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.0-2-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Ingo Bauersachs
2025-01-20 23:10:01 UTC
Reply
Permalink
Post by Andreas Tille
I tried to upgrade dnssecjava to the latest upstream version (2.0.0) in
Git but it fails to build due to a new Build-Depends as you can see in
dnssecjava is EOL, archived on GitHub, and is affected by some CVEs.
The code has been merged into dnsjava.

Note that dnsjava is AFAIK currently also removed from unstable because
it too had CVEs. I'm not sure it's worth updating it either. The only
rdep that I'm aware of was JMeter, and last time I checked, that version
was also extremely old in Debian.

If you do want to update dnsjava, please let me know. The newest version
has some build dependencies in the pom that are almost certainly not
packaged at all or in their current version in Debian, but most of
them should not be necessary to build it (e.g. Spotless, it only checks
that the source code is properly formatted).

Regards,
Ingo
tony mancill
2025-01-21 05:20:01 UTC
Reply
Permalink
Hello Ingo,

Somehow my mail provider decided to categorize your email as spam, so I
only saw the one from Andreas. (More below.)
Post by Ingo Bauersachs
Post by Andreas Tille
I tried to upgrade dnssecjava to the latest upstream version (2.0.0) in
Git but it fails to build due to a new Build-Depends as you can see in
dnssecjava is EOL, archived on GitHub, and is affected by some CVEs.
The code has been merged into dnsjava.
Note that dnsjava is AFAIK currently also removed from unstable because
it too had CVEs. I'm not sure it's worth updating it either. The only
rdep that I'm aware of was JMeter, and last time I checked, that version
was also extremely old in Debian.
If you do want to update dnsjava, please let me know. The newest version
has some build dependencies in the pom that are almost certainly not
packaged at all or in their current version in Debian, but most of
them should not be necessary to build it (e.g. Spotless, it only checks
that the source code is properly formatted).
Regards,
Ingo
A recent update to dnsjava was uploaded to unstable [1] , but there is
still some work to do.

Based on your email, it sounds like the suggested course of action is to
get dnsjava into shape, drop dnssecjava, and update any build
reverse-deps on dnssecjava to use dnsjava.

Thanks,
tony

tony mancill
2025-01-21 05:00:02 UTC
Reply
Permalink
Hi Andreas,
Post by Andreas Tille
Source: dnssecjava
Version: 1.1.3-3
Severity: wishlist
Hi,
I tried to upgrade dnssecjava to the latest upstream version (2.0.0) in Git
Cannot access central (https://repo.maven.apache.org/maven2) in offline mode and the artifact com.coveo:fmt-maven-plugin:jar:2.9 has not been downloaded from it before.
It would be nice to upgrade to the latest upstream version but it seems
fmt-maven-plugin[2] needs to be packaged before.
This plugin can be safely ignored, but there are some additional changes
needed before the package will build. I have pushed some of those
changes to the master branch.

However, the package still FTBFS due to an issue with the recent update
to dnsjava. I just filed #1093673 [1] to keep track of that.

More soon,
tony

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093673
Loading...