Package: ftp.debian.org Severity: normal Hi!
After struggling to get [fixes] merged upstream, I was finally told by the upstream Photofloat maintainer that the patches from the community would never be merged, after 3 years of almost complete radio silence. [fixes]: https://lists.zx2c4.com/pipermail/photofloat/2014-September/000054.html The project was also [forked] in June 2017, as [photofloatenhanced], which was [denounced] as insecure by the original maintainer, so it is unclear what the future of the project is. [forked]: https://lists.zx2c4.com/pipermail/photofloat/2017-June/000173.html [photofloatenhanced]: https://github.com/paolobenve/photofloatenhanced [denounced]: https://lists.zx2c4.com/pipermail/photofloat/2017-August/000204.html In a conversation with the author on the #wireguard channel (as Donenfeld is also working on that VPN software), he explained the fork had a directory transversal vulnerability and in general expressed hostility at the fork and mocked the idea of packaging photofloat in Debian. He explained he had no duty of merging in patches from downstream in his project, which he described as a personal project he simply shared with people. Donenfeld explicitly stated that people should feel "entitled" to see their worked merge. The Debian package features some of the patches mentioned upstream, which means it's effectively become another fork. This gives us the following options: 1. maintain the current package as fork in Debian: lots of work, no fun. 2. switch to the photofloatenhanced fork: may have security issues and uncertain future. 3. completely remove the patches and only use the upstream code: may be difficult to repackage, features (like video) missing. 4. try again to merge our patches upstream - they need to be rebased and there may be a slight chance to change Donenfeld's mind: frustrating work that may just fail. 5. remove photofloat from Debian: minimal work, future-proof, but we abandon possible users [Popcon] tells us the install count spiked to around 25 when it was first introduced in 2013 and slowly rose to around 40 in 2015 and seems to have leveled and may be declining. [Popcon]: https://qa.debian.org/popcon.php?package=photofloat Considering I do not really want to spend any further energy on this frustrating adventure and I doubt anyone will pick this up if I orphan it, please remove photofloat from Debian.
