Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2

Ron ron at debian.org
Sun Jun 21 07:19:43 UTC 2015

On Sat, Jun 20, 2015 at 07:31:50PM -0500, Jonas Smedegaard wrote:
> Quoting Don Armstrong (2015-06-20 14:38:25)
> > There's clearly a bug here, but even after reading this bug log, I've 
> > had to do research on my own to determine what that issue is.
> > 
> > If the libroar2 maintainers which to keep decnet support, then someone 
> > should probably figure out how to circumvent waiting for the DECnet to 
> > settle when it isn't actually configured, and propose a patch to do 
> > that.
> > 
> > Even just checking for the existence of dnet-common or similar would 
> > probably be enough.
> As I understand it, these are the issues raised here:
>  a) libdnet is unmaintained and thus potentially dangerous to link 
>     against
>  b) dnet-common commonly (or always by default?) cause whole system to 
>     hang 
> I disagree that any of above are bugs in cmus.

The bit where you and Adrian appear to be talking past each other is:

  c) cmus Recommends roar.  (which it didn't in the Wheezy release)

So anyone installing cmus on a default system (or upgrading from Wheezy)
gets pulled into this.

Demoting that to (at least) Suggests was discussed before this bug
was opened (in a thread that unfortunately didn't hit the BTS since
it was CC'd to an archived bug when Adrian reported it).

Alessio already acknowledged that would be a good idea and suggested
that Adrian open this bug to discuss whether even the Suggests was
still appropriate if installing that suggestion had the same outcome.

To quote Alessio replying to Adrian on that:

> I acknowledge your request, it seems legit to me to demote libroar2
> from Recommends to Suggests.
> Could you please file a bug and set its severity to "important"?
> Furthermore, since I have removed 680745 at bugs.debian.org from the CC:
> field as the bug is archived and no longer accepts mails, It would be
> great if you could attach our discussion to the report for future
> reference. [1]

and his earlier reply re DECNet to Stephan:

> > While it might not be a common feature, it is a feature none the less.
> One that relies on functionalities provided by a factually dead
> software; please get rid of it.
> Meanwhile I'll be demoting cmus's libroar dependency from Recommends
> to Suggests. If roaraudio's maintainers do not show willingness to
> cooperate, then we'll hand this to the TC and see.

I don't have a dog in this race, beyond being CC'd to request some
background clarification in the initial thread, and hoping you all
get on the same page about it soon so it will stop filling my inbox.

I don't particularly care what you choose to do, but "roar pulls in
DECNet -> DECNet breaks people's existing systems" is hardly a new
problem.  People mostly just had a brief respite from it, since for
Wheezy packages that people did actually want stopped pulling in
roar ...

Now that problem is back.  The solutions are all pretty easy, you
just need to pick one.  "Ignoring it" isn't really in the solution
set though, so please do pick one some way or another :)


More information about the pkg-multimedia-maintainers mailing list