Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

John Paul Adrian Glaubitz glaubitz at physik.fu-berlin.de
Sat Jun 20 17:56:56 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/20/2015 07:51 PM, Jonas Smedegaard wrote:
>> Installing cmus on a newly installed system will therefore
>> install libdnet as a transitive dependency
> 
> Agreed cmus pulls in the _library_ for dnet.

Which is unmaintained upstream and in Debian, see:

> https://packages.qa.debian.org/d/dnprogs.html

I think we can agree that is preferable not to have network
stacks in Debian which are no longer actively maintained as
they pose a possible security risk.

>> and will result in cmus getting stuck directly after start as I
>> have reported earlier in the first message in this bug report
>> [1].
> 
> The first message for this bugreport talks about --with-suggests.
> 
> Can you please clarify how cmus causes beakage rather than the use
> of --with-suggests.

As you can see by the various bug reports, most people don't want
cmus or ROAR to install DECnet libraries on their machines under
any circumstances:

> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 
> https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027

I really don't understand what keeps Patrick from dropping DECnet
support. I can't seriously imagine that anyone still uses it.

Adrian

- -- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz at debian.org
`. `'   Freie Universitaet Berlin - glaubitz at physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVhaloAAoJEHQmOzf1tfkTn3EP+wd7wm18j/zu5hIkHTaIVel+
aRBrPmx2gBTOzw7auaIQl0vdP/hKQXmrZOrKQ1rGi7AKoqyftb8dQAjDR/O66VTe
iuAljvAKadiT3ClRJXVZDIGeCXJB2BG1xU07DpiNzMmrVx7PZIXkZslPujn86Ydz
PKjwk6X1kdXljHKeId2qsGj928P/Trp0hJVkCRX7gHqAoVM2ILMzp4GNnma+dIgV
K+tXE99v0eoZy91FHQOxdozfBQNzz4ZZr/YjMBoxM/Z0/HGSvXEAA7N6UPISo+gH
yJx4hSDwY2CX+dUq0E3gVFMlnYa9U4WejXC9xPWFjybivK4S5yJnGH50Gwa5wUTP
Pe22D9iBgayVwtca9ZUMgxa0jwi3SOZwO+OACGmu+jfTAzTloiijfUMh16VSL0le
dI4ITWBLPCRrD1FxLbSB+Gf7wcoXA4MzghUbkqykVNwOADD/lMplRAWe1QxsMxum
t45U/pIdrplcXPXugMgrFujQaQnh/uk4GoJx92tEphkTz8tFCyU1txfrGMFVliyK
O2I3ZAGObSlUHoJSQEnpoVBAfWoL+MwZVyFvt1sCZHJ1S/D2Vb+NgY9avtSpaI0O
B46ESni3j0rXXDUAS2YvlNMbQrw7Itg0uhcpcqYA1hLmHVARr8bqSwl8JkSK8WlR
HY6xIfQ7OEqg27V7V7Kj
=QNyO
-----END PGP SIGNATURE-----



More information about the pkg-multimedia-maintainers mailing list