Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

John Paul Adrian Glaubitz glaubitz at physik.fu-berlin.de
Sat Jun 20 17:51:42 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/20/2015 01:12 PM, Patrick Matthäi wrote:
>> It's definitely the Debian way when a certain package
>> functionality that maybe a handful people need breaks other
>> packages. Then it's your duty as a good Debian maintainer to get
>> rid of the old and broken stuff. And there have been more than
>> one bug report against ROAR that asked to drop the DECnet
>> dependency and you keep ignoring them.
> 
> This is not true. Please attach links/emails where I ignored bug 
> reports/requests (on other channels).

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014

Are you actually reading bug reports? Serious question.

>> You are missing the point. I don't have a problem with fixing RC 
>> bugs. I have a problem having to fix RC bugs in packages that no
>> one really uses anymore. In case you have forgotten, the release
>> process for Wheezy was dragged along endlessly because the amount
>> of RC bugs would simply not go down. Among such bugs were gems
>> like Iceweasel crashing on sparc or libsnack (used by aMSN)
>> having a buffer overflow vulnerability. Do you really think it's
>> justified to hold the release back because of such ancient
>> software?
> 
> OK, so lets drop iceweasel? This is definitly offtopic here

No, we dropped sparc as a release architecture as a result
in case you missed that.

>> They introduced automatic removal of packages affected by RC bugs
>> for this very reason and the fact that DECnet is no longer 
>> maintained means that ROAR is permanently at risk being affected 
>> by RC bugs unless you think you can fix vulnerabilities or other
>> serious bug in an ancient networking stack.
> 
> Lets drop package XYZ: it may have got issues we didn't discovered,
> yet..

No, let's drop package XYZ which _no_one_ maintains both upstream
and downstream. It's absolutely a common practice in Debian
and happens all the time.

Here are some examples:

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=206866 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=288112 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=179392 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=182434

I'm sorry Patrick, but I am starting to have doubts that you
know how to do a proper job as a maintainer. You apparently
don't read bug reports (as shown above), you don't know the
details about your *own* packages (you claimed that libdnet
is not a dependency which is simply untrue) and you apparently
have never heard that Debian does, in fact, remove packages
that are either buggy or no longer in active upstream
development.

We may really need to forward this to the technical committee
and ask them to make a decision over the removal of the
DECnet dependencies in ROAR as you are apparently completely
out of touch with reality.

Adrian

- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz at debian.org
`. `'   Freie Universitaet Berlin - glaubitz at physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVhaguAAoJEHQmOzf1tfkTjbAP/1mlLWcfl8KsBG4PphR1N+KF
HJd/902m7bzEXZ6oKwOIwfAvDVN5VFS9WMELSVxx2fw7vthX/x5+Dvb858E3JqPa
hk+R7yxobij1qCAz6c7P8L7DFJPvH3M/33WZllznh/QW/iL1mJCsO8MHImd9Phpn
jNiFperP1KhHsWwTx94OMEQF0XZYWnaSAthEmkoDI0eN5o41Cy6xY8qM0o74vHgO
t6KvXvMslquCvZo8ZCqf5xaPlbVjCcxWjmhPtRPiq3mqPQfSc1HVgQczMb28+Oyf
/NfSH65LryzGyLwLX4IcELkmdcntL6YrbkDR8mVxOMFJorl5oNjBgdjfZQ3otDYI
Cm2MwAdoBJgVb6aMrVVVbISreVYghes+dDkQmuiq7cCjJJMIY0zhU1GYkOB2LZwc
V2O63WYVKvpUyftsXDn/xzQ7+kP5hjHRRTVCFzz8VigHk1+fmHYaZJNokXCcnHeh
c/XTiW1N7dbcGnbGW5WOc77kIM4slRH/s+iMbJtT9IhQ8TgRgAIDqGCRYiMqu6/R
cdtRAveQKFQwDHc3NNVxorBb1RYSm6e0oMzHAl2i/Au8LE3pNd9BP0+0LwIqkK7P
vAeyDTVEXwStuGr8a9jmflKG17Fn5X65igEsPPb/xPM9W2RNUA/sbO8kPmQijcY3
mQuK5wPOkDx5xsuEuHiA
=dkWi
-----END PGP SIGNATURE-----



More information about the pkg-multimedia-maintainers mailing list