Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

John Paul Adrian Glaubitz glaubitz at physik.fu-berlin.de
Sat Jun 20 11:02:50 UTC 2015

Hash: SHA256

On 06/20/2015 12:52 PM, Patrick Matthäi wrote:
> I need roaraudio for myself? He is my buddy? I don't know him at
> all :o John: please stop writing e-mails like this..

It's Adrian, not John, and I am just quoting Ron who certainly isn't
making this stuff up. It has apparently always Stephan who came forward
and ask for ROAR audio reactivation.

>> If you desperately need ROAR audio in cmus, then you can rebuild
>> it manually. Debian should not keep packages that are dead
>> upstream, especially when it comes to network libraries. There is
>> _always_ the risk of these being the source of RC bugs.
> This is defintily not the Debian packaging way: "just some people
> want to use it: build it yourself"

It's definitely the Debian way when a certain package functionality
that maybe a handful people need breaks other packages. Then it's
your duty as a good Debian maintainer to get rid of the old and
broken stuff. And there have been more than one bug report against
ROAR that asked to drop the DECnet dependency and you keep ignoring

>> I have fixed dozens of such packages during the Wheezy release 
>> phase with NMU uploads because the original maintainer was MIA 
>> and we really should try to avoid such problems in future
>> releases.
> Thanks for fixing RC bugs, this is our job @ Debian :)

You are missing the point. I don't have a problem with fixing RC
bugs. I have a problem having to fix RC bugs in packages that
no one really uses anymore. In case you have forgotten, the
release process for Wheezy was dragged along endlessly because
the amount of RC bugs would simply not go down. Among such bugs
were gems like Iceweasel crashing on sparc or libsnack (used
by aMSN) having a buffer overflow vulnerability. Do you really
think it's justified to hold the release back because of such
ancient software?

They introduced automatic removal of packages affected by RC
bugs for this very reason and the fact that DECnet is no longer
maintained means that ROAR is permanently at risk being affected
by RC bugs unless you think you can fix vulnerabilities or
other serious bug in an ancient networking stack.


- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz at debian.org
`. `'   Freie Universitaet Berlin - glaubitz at physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
Version: GnuPG v2


More information about the pkg-multimedia-maintainers mailing list