Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

John Paul Adrian Glaubitz glaubitz at physik.fu-berlin.de
Sat Jun 20 09:49:37 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/19/2015 01:37 PM, James Cowgill wrote:
> From the bug:
>> RC severity mostly so this shows up on the radars of all the
>> right people crossing off the details we need to finalise for the
>> release.
> 
> That doesn't apply here.

stretch will be released at some point in the future and we will exactly
run into the same problem. We already did for Jessie where cmus is now
broken by default.

> Hmm I personally can't get cmus to break this way but it could be
> RC if it breaks in default installations.

Did you remove your .cmus configuration directory? If you have an
existing .cmus directory, it often works. However, this bug was
discovered by someone at my physics department after upgrading
to Jessie.

Initially, .cmus immediately segfaulted with her old configuration
directory. I asked her to rename it, so cmus would use a new directory
and she ended up with the application being stuck at the start
because of libdnet.

It is clearly reproducible. Just did a test install on an unstable
system where cmus was never installed and I get:

glaubitz at ikarus:~$ cmus
getnodeadd: Can not open /etc/decnet.conf

Interestingly, on this machine there is a timeout and cmus starts
eventually. However, I have seen machines (which had a static
IP network configuration) where it hung forever.

>> Which is my whole point.
> 
> Then this is a bug in roaraudio / dnprogs, not cmus.

No one denies that. However, the problem is that the ROAR people
refuse to drop DECnet support and hence Ron asked in [1] to
drop ROAR audio support.

>> The ROAR developers and maintainers refuse to do that which is
>> why we should drop it from cmus. They, for some reason, think
>> it's important to support a pre-historic networking protocol.
> 
> I found this bug: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014

Which was closed with the message "Go away, I don't care."

> This is the newer one: 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934

Which is, again, ignored.

> But I couldn't find any evidence the _current_ maintainer of
> roaraudio has refused to remove DECnet support. The current bug
> about it has no replies.

Quoting what Ron said who requested the removal in [1]:

========================================================================

But basically roar was a disaster on lots of fronts as we were trying
to wrap up the wheezy freeze.  It was getting dragged in as a hard
dependency by packages it was pretty hard to avoid having installed if
you had any sort of media support application installed - and the
DECNet farce meant that was breaking people's network configuration.
It in turn was also depending on the obsolete celt package which we
trying to get removed from wheezy - and every attempt to get its
maintainers to try to fix these things was met with "what problem?
I see no problem here.  DECNet is essential functionality, we can't
drop it ..."

Which basically meant the only choice remaining was to get roar itself
removed from wheezy (which meant dropping the deps on it for anything
that didn't also want to get removed with it).

AFAICT, about the only two actual users of roar in the world are
Philipp, its primary author, and his mate Stephan (who filed all the
"bring it back" bugs for him).

If cmus is Recommending it again, then yeah, dropping that back to a
suggests at the very least seems like a prudent move if it's still
breaking people's systems ...

Though if it's still going to break the systems of people who install
it as a Suggests - and its upstream is still refusing to fix that after
all these years of it being a known problem, I have to wonder a bit
about even the value of that ...  but that's really a question for the
cmus users and maintainer to decide where the value lies.

========================================================================

Adrian

> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675610

- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz at debian.org
`. `'   Freie Universitaet Berlin - glaubitz at physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVhTcxAAoJEHQmOzf1tfkTOq4P/R+TWffDmc9w4+LVPrVtNwFR
Tg/GSmOGQk6WyXWVqZWD8EZLIOdSovnPcNd9l/Nig6DEI+3/XQmPq0CehX12qIiJ
y8hNHwNvwyEKP3qQzYJ6fDtHUFuo+xF2CthHTta54bjF9/LiJktZwh5xSqAJrjk+
tC0g8iXjgffubxpHzMiVuWZAAXHhofzJ6KxUr8ppRHRJcuZCnK8hgjPCf8mqOZli
rNj0MMTIu4YQI+cPyAKA6CZP3sgYqqBUKrDSqCKMkMwJypX+7ndFS6LFyJK5VlNM
e8yk2bH9yZgy5wy5Rb/cT/me0W64lH2aKpT3tYGjyMtIG2y0Dsgej7+NUEOX64eN
L+q4E4o/yR1ruirEeMQWe3YzigbI8xCJHFBslpSoVFG3+s7rgLJPTwo+oWKW0m/Z
qAyy/TIyCLDa2V/Fnzf1TWo/5qFA0Y+XtKEApiwEFodMM+XgSWli/fKPbq36XJ6W
Nbv9WMWj9w0L2i1lqsbcTFkhtX5TjhuTMNYPf3R0e1guniaz+clUsvwICJv9sJAP
sbgFpHZwy6LLAt6mM6fBLO+WFdxucndQftnB5SyPp1ZWJ+yLQdai8uRq7IL0fl8F
0e4VcZrVbCKDgQ5Q4ER/lMpNY7gn3gq/vUpv9rg2ZPw3rbFNPv1llQ6WsuJZft+J
cn2tauus+TRYWWIOY5Hq
=EfUG
-----END PGP SIGNATURE-----

More information about the pkg-multimedia-maintainers mailing list