Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

Patrick Matthäi pmatthaei at debian.org
Sat Jun 20 11:12:01 UTC 2015 

Am 20.06.2015 um 13:02 schrieb John Paul Adrian Glaubitz:
> On 06/20/2015 12:52 PM, Patrick Matthäi wrote:
>> I need roaraudio for myself? He is my buddy? I don't know him at
>> all :o John: please stop writing e-mails like this..
> 
> It's Adrian, not John, and I am just quoting Ron who certainly isn't
> making this stuff up. It has apparently always Stephan who came forward
> and ask for ROAR audio reactivation.

No, it was your e-mail. To quote it again: "except you and your buddy
Patrick."
Stop it, seriously..

> 
>>> If you desperately need ROAR audio in cmus, then you can rebuild
>>> it manually. Debian should not keep packages that are dead
>>> upstream, especially when it comes to network libraries. There is
>>> _always_ the risk of these being the source of RC bugs.
> 
>> This is defintily not the Debian packaging way: "just some people
>> want to use it: build it yourself"
> 
> It's definitely the Debian way when a certain package functionality
> that maybe a handful people need breaks other packages. Then it's
> your duty as a good Debian maintainer to get rid of the old and
> broken stuff. And there have been more than one bug report against
> ROAR that asked to drop the DECnet dependency and you keep ignoring
> them.

This is not true. Please attach links/emails where I ignored bug
reports/requests (on other channels).

> 
>>> I have fixed dozens of such packages during the Wheezy release 
>>> phase with NMU uploads because the original maintainer was MIA 
>>> and we really should try to avoid such problems in future
>>> releases.
> 
>> Thanks for fixing RC bugs, this is our job @ Debian :)
> 
> You are missing the point. I don't have a problem with fixing RC
> bugs. I have a problem having to fix RC bugs in packages that
> no one really uses anymore. In case you have forgotten, the
> release process for Wheezy was dragged along endlessly because
> the amount of RC bugs would simply not go down. Among such bugs
> were gems like Iceweasel crashing on sparc or libsnack (used
> by aMSN) having a buffer overflow vulnerability. Do you really
> think it's justified to hold the release back because of such
> ancient software?

OK, so lets drop iceweasel? This is definitly offtopic here

> 
> They introduced automatic removal of packages affected by RC
> bugs for this very reason and the fact that DECnet is no longer
> maintained means that ROAR is permanently at risk being affected
> by RC bugs unless you think you can fix vulnerabilities or
> other serious bug in an ancient networking stack.

Lets drop package XYZ: it may have got issues we didn't discovered, yet..

-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

  Blog: http://www.linux-dev.org/
E-Mail: pmatthaei at debian.org
        patrick at linux-dev.org
*/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150620/ef350bc2/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list