Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

Jonas Smedegaard dr at jones.dk
Sat Jun 20 18:42:56 UTC 2015

Quoting John Paul Adrian Glaubitz (2015-06-20 12:56:56)
> On 06/20/2015 07:51 PM, Jonas Smedegaard wrote:
>>> Installing cmus on a newly installed system will therefore install 
>>> libdnet as a transitive dependency
>> Agreed cmus pulls in the _library_ for dnet.
> Which is unmaintained upstream and in Debian, see:
>> https://packages.qa.debian.org/d/dnprogs.html
> I think we can agree that is preferable not to have network stacks in 
> Debian which are no longer actively maintained as they pose a possible 
> security risk.

I think we can both agree that using cmus imposes a higher security risk 
than using a simpler music player with fewer dependencies and thus fewer 
overall lines of code potentially containing flaws.

Please file bugreports regarding security flaws of DECnet packages 
against those DECnet packages, *not* their reverse dependencies!

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150620/30f66d3f/attachment.sig>

More information about the pkg-multimedia-maintainers mailing list