Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Jonas Smedegaard
dr at jones.dk
Sat Jun 20 18:42:56 UTC 2015
Quoting John Paul Adrian Glaubitz (2015-06-20 12:56:56)
> On 06/20/2015 07:51 PM, Jonas Smedegaard wrote:
>>> Installing cmus on a newly installed system will therefore install
>>> libdnet as a transitive dependency
>>
>> Agreed cmus pulls in the _library_ for dnet.
>
> Which is unmaintained upstream and in Debian, see:
>
>> https://packages.qa.debian.org/d/dnprogs.html
>
> I think we can agree that is preferable not to have network stacks in
> Debian which are no longer actively maintained as they pose a possible
> security risk.
I think we can both agree that using cmus imposes a higher security risk
than using a simpler music player with fewer dependencies and thus fewer
overall lines of code potentially containing flaws.
Please file bugreports regarding security flaws of DECnet packages
against those DECnet packages, *not* their reverse dependencies!
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150620/30f66d3f/attachment.sig>
More information about the pkg-multimedia-maintainers
mailing list