Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

John Paul Adrian Glaubitz glaubitz at physik.fu-berlin.de
Sat Jun 20 11:02:50 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/20/2015 12:52 PM, Patrick Matthäi wrote:
> I need roaraudio for myself? He is my buddy? I don't know him at
> all :o John: please stop writing e-mails like this..

It's Adrian, not John, and I am just quoting Ron who certainly isn't
making this stuff up. It has apparently always Stephan who came forward
and ask for ROAR audio reactivation.

>> If you desperately need ROAR audio in cmus, then you can rebuild
>> it manually. Debian should not keep packages that are dead
>> upstream, especially when it comes to network libraries. There is
>> _always_ the risk of these being the source of RC bugs.
> 
> This is defintily not the Debian packaging way: "just some people
> want to use it: build it yourself"

It's definitely the Debian way when a certain package functionality
that maybe a handful people need breaks other packages. Then it's
your duty as a good Debian maintainer to get rid of the old and
broken stuff. And there have been more than one bug report against
ROAR that asked to drop the DECnet dependency and you keep ignoring
them.

>> I have fixed dozens of such packages during the Wheezy release 
>> phase with NMU uploads because the original maintainer was MIA 
>> and we really should try to avoid such problems in future
>> releases.
> 
> Thanks for fixing RC bugs, this is our job @ Debian :)

You are missing the point. I don't have a problem with fixing RC
bugs. I have a problem having to fix RC bugs in packages that
no one really uses anymore. In case you have forgotten, the
release process for Wheezy was dragged along endlessly because
the amount of RC bugs would simply not go down. Among such bugs
were gems like Iceweasel crashing on sparc or libsnack (used
by aMSN) having a buffer overflow vulnerability. Do you really
think it's justified to hold the release back because of such
ancient software?

They introduced automatic removal of packages affected by RC
bugs for this very reason and the fact that DECnet is no longer
maintained means that ROAR is permanently at risk being affected
by RC bugs unless you think you can fix vulnerabilities or
other serious bug in an ancient networking stack.

Adrian

- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz at debian.org
`. `'   Freie Universitaet Berlin - glaubitz at physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVhUhaAAoJEHQmOzf1tfkTZycQALLrt1ECi9I7T0CfD0FsE5ez
YAs8s4oqQoByvjxHNNz1Gxvnjb/JS4Amr15FHZ4YjqYYv+/5j0zBoj8JLCUB/j/P
OORjTagETPg3oYkej/XAiFH95eOoXf8BMPE5PvQkEAFfHv87nV7ou93yRWVEjZsh
cFR1QDjot4ERwKnFqnDdyvvtfrtCfbzRrCrZ9u6jkWiqFi/wjL7bWLERweASfIWQ
rn9sQ004uk2Y0euc5TXSoRcM4TuW4IWSUorfUbjC6CSiCu6MZZ1iSqVIe2ls4sFQ
5O/40GbWQbUhzzkBt+iPOD6lWqfn4BVEjwYTaq2XOAAFipBE8Lub7INcGLZ/aIb6
jjy8Sz/r9J5baJMiyXjiWR6LjgmbtE5JyCCU3J1WAzL8EpveLBsqmKXIspWcFoUX
pvxGi8nqUoAkg2aJkpAoGbZuQo2Pt37K196ZNmvMgn4hG0ELqYLUD6z6jsIENOUj
msmEPqvm1B7KwMIXMZmZhPAehPJmkRJ7SYJ0SpYzaXyjO+0bmgJ2VZlE90vrwStq
1b8p9CbGT7tH3zYv/qKAVn6DlDIeqh9Yzr2wC8Md9Y+rFiddCv1J+3vH9eczEP6D
GbzyCK451bOooRCnq/22FyaGNhb7rEDrjLgeqVeMVeItMS2xPZ23AnqtHz5Q5mcx
igChqM7E9jkKge2Ky4wl
=2CmF
-----END PGP SIGNATURE-----

More information about the pkg-multimedia-maintainers mailing list