Comment 11 for bug 1009579

jakarta-taglibs-standard:
- The package builds fine, but needs libservlet3.0-java from universe (but that comes from tomcat7 itself, so there is a circular build dependency)
- no CVE history
- no initscripts, dbus, setuid, sudoers, fscaps or cron jobs
- there appears to be some test data in standard/test but it doesn't appear to be used in the build
- Ubuntu does carry a delta, but it is primarily for packaging cleanups and a patch to work with Java 7
- the Ubuntu server team is subscribed to the bug
- there is a watch file
- Upstream seems inactive. The upstream source has not changed in 8 years. It looks like the project name changed (http://tomcat.apache.org/taglibs/) and that since the name change there have been a few more commits with the last one 3 years ago. They have not released a new version under the new name
- the current release is packaged
- is lintian clean
- debian/rules is reasonable
- there are a couple of javac warnings during the build, but they look harmless as they fallback to something sane

While upstream seems inactive, that is not always a problem (the software could be mature and working properly for people) and it has a good security history. There is also the issue of the circular build dependency between tomcat7 and jakarta-taglibs-standard, but I don't think this is a blocker, but rather something to make note of.

ACK (but please send the Ubuntu delta to Debian if you haven't already).