[Pkg-roundcube-maintainers] State of Roundcube packaging in Debian?

Mon Mar 16 07:54:40 UTC 2015

 ❦ 15 mars 2015 15:38 -0500, John Goerzen <jgoerzen at complete.org> :

>>> I found out today that roundcube was removed from Debian testing due to
>>> some unfixed bugs. I investigated a bit further and found that:
>>>
>>>  - 1.1.0 has long been released upstream, but:
>>>     - the watch file never picked it up, and
>>>     - the package VCS is stuck at an unreleased 1.0.0
>>>  - A partially fixed package was uploaded to unstable in January,
>>>    but was not unblocked, and
>>>     - is not in the package VCS
>>>
>>> Could you please elaborate a bit on the state of Roundcube in Debian,
>>> and what I (or others) could do to get it straight again?
>> The package is team-maintained but none of the maintainers have time to
>> take care of Roundcube. Hence, the removal from Jessie. The main
>> difficulty is to handle the 0.9.5 to 1.x upgrade where the configuration
>> files change.
> I assume you mean the config files change in some dramatic way; that is,
> some way that means the existing files won't work anymore?

Yes.

> If that is the case, why does this have to be a big deal?  Couldn't you
> just warn people that the upgrade will break their config, point them to
> the docs, and call it good?  After all, if that is all upstream
> provides, isn't it better than nothing?

Upstream provides a conversion script. But, yes, we could put the
upgrade burden on the user, this is better than no upgrade.

The bottom line is the maintainers don't have time. It is unclear if
orphaning works for a team-maintained package. People propose to help
From time to time, then usually disappear. Someone just proposed to help
(Sandro). Maybe this will help push 1.1.0.

The packaging is not utterly complex but not trivial (dbconfig-common
handling, ucf-managed configuration files, some debconf questions,
embedded code removal, DFSG tarball needed for political reasons).

Also, security handling is difficult because Roundcube is exposed to a
class of attacks (script injection and CSRF) that are usually fixed by
applying large patches difficult to backport. Even when the patch
applies on older versions, we really don't know if it is complete for
the older version.
-- 
Write clearly - don't sacrifice clarity for "efficiency".
            - The Elements of Programming Style (Kernighan & Plauger)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-roundcube-maintainers/attachments/20150316/57d1c6e2/attachment.sig>