- Package:
- src:debian-security-support
- Source:
- src:debian-security-support
- Submitter:
- Sylvain Beucler
- Date:
- 2026-06-09 17:35:01 UTC
- Severity:
- normal
- Tags:
Dear Maintainer, ply (binary package 'python3-ply') is unmaintained upstream: https://github.com/dabeaz/ply#important-notice---december-21-2025 https://github.com/dabeaz/ply/commit/9d7c40099e23ff78f9d86ef69a26c1e8a83e706a We are not able to get official security feedback, e.g. for: https://www.openwall.com/lists/oss-security/2026/01/23/4 which is both 9.8/critical: https://nvd.nist.gov/vuln/detail/CVE-2025-56005 and unimportant at Debian: https://security-tracker.debian.org/tracker/CVE-2025-56005 and disputed at independent pages: https://github.com/tom025/ply_exploit_rejection More importantly we won't get security fixes either. The project is otherwise considered obsoleted by various other libraries, so a takeover is unlikely. The PyPI page didn't see updates either since 2018: https://pypi.org/project/ply/#history Consequently it would make sense to mark this package as unsupported in all dists. See also: https://salsa.debian.org/lts-team/lts-updates-tasks/-/work_items/320 Cheers! Sylvain Beucler Debian LTS Team
Hi, I'm not against marking ply unsupported, but I must say the CVE is very questionable. to not load pickle files from unknown sources, preferably only when you are sure the pickle file came from your own program. And in PLY, its really meant to be pointed to a pickled version of the PLY result, IOW (de-)serializing the in-memory built executable code! If this CVE was valid, then I imagine the solution for it is to put in the docs "don't do this". Also: why is there no bug against src:ply? Best, Chris (a ply user)
It's marked as bogus in the security tracker. I don't think we should
start declaring random packages which are dead upstream as unsupported,
that won't scale and is also not the right course of action. We have
100s of other packages which no longer have an active upstream and
if there's ever a genuine security issue for ply we can look into
fixes ourselves.
Given the package is dead upstream, I think a sensible step would
be to investigate alternatives and if they have are packaged, file
bugs against the rdeps.
Cheers,
Moritz
agreed and +1 +1 I guess I will close this bug soon.
Hi, Would it make sense to mark such packages as "limited support"? (not merely lowly active or abandoned, but officially retired and without compatible replacement/fork, especially with rdeps.) They can only get a "best effort" support, notably without upstream to sanction our fix, which isn't on par with regularly supported packages. This also hints that something need to change to get full support again. Cheers! Sylvain Beucler Debian LTS Team
Not really, "limited support" is used for different things.
There's other mechanisms to deal with it, e.g. removing a package in favour
of alternatives if it becomes to burdensome.
Cheers,
Moritz