Hello, for sake of transparency, I'm also publicly stating the private discussion we had with hexchat author (who quoted parts of my answer email on his blog, so I presume this is fine)
email: Hi, I'm the HexChat maintainer and I noticed you re-added XChat to the Debian repositories. To be frank I am baffled and confused. XChat is a dead project that has not seen a release in 8 years now and as somebody who has worked on that codebase for many of those 8 years it is an awful codebase full of vulnerabilities and bugs. I cannot fathom why a distro, especially one like Debian that cares about quality, would even consider adding this to the repositories. I can only assume HexChat did something to anger you but I feel like putting Debian users at risk is the wrong solution to your concerns. I don't expect you to undo this but I am just curious on how or why it happened. my answer: Hello patrick! >Hi, I'm the HexChat maintainer thanks for maintaining HexChat! It is now my *first* irc client, I switched from xchat to hexchat since some years >and I noticed you re-added XChat to the Debian repositories. To be frank I am >baffled and confused.>XChat is a dead project that has not seen a release in 8 >years now and as somebody who has worked on that codebase for many >of those 8 years it is an awful codebase full of vulnerabilities and bugs. I >cannot fathom why a distro, especially one like Debian >that cares about quality, would even consider adding this to the repositories. >I can only assume HexChat did something to anger >you but I feel like putting Debian users at risk is the wrong solution to your >concerns. I don't expect you to undo this but I am >just curious on how or why it happened. you did absolutely *nothing* wrong, and I think your point is really valid. Unfortunately I have to add something on top of your words! Hexchat is dead upstream, this might be true, but it is not "full of bugs and security holes", at least not after I adopted it, because I patched all the CVEs and various bugs that have been around since the begin. I don't really have an answer for my adoption of xchat in Debian, it has been my first irc client, back in the days irc was really used, I loved it, I didn't love the hexchat necessary switch, but now I'm used to the new graphic, and I find it even superior. that said, I like to have a B plan in case hexchat stops working because of some new features requiring new systems, new libraries not available maybe on older pc (e.g.I maintain an Ubuntu ppa that builds xchat back to Ubuntu 14.04, I don't think hexchat can run on such older systems without patching, mainly due to the necessary switch to new libraries and better graphics. I was confused about the reintroduction, as well as you, but since the first upload, I got a lot of emails, thanking me bringing it back, and a backport request really minutes after it has hit unstable again. Other Debian Developers asked me to comaintain backports on older Debian distributions, so I think I wasn't the only one feeling nostalgic of the old days, and old graphics :) BTW, xchat is *fixed* for CVEs, and *stable* wrt libraries, I could even say that developing something increases the possibility to introduce new bugs :) (this is a joke, please don't take it seriously!). I often have something that breaks on my development laptop, because I install new libraries, and test combinations of stuff that is not "what we release". Since I use irc a lot, having a backup plan for an irc connection is something I really need to have, even if right now 95% of the time is Hexchat, and 0.5% xchat. Anyhow, unless you really find bugs / vulnerabilities in xchat/Debian, I would like to keep it in the archive for some more years, maybe until Ubuntu 14.04 goes End Of Life, or maybe until I find another good replacement for hexchat in case of breakages :) BTW don't feel bad, I'm not stealing users to hexchat, popcon seems to agree that xchat is really for a bunch of old developers left :) https://qa.debian.org/popcon.php?package=xchat https://qa.debian.org/popcon.php?package=hexchat I hope I did answer to you, please let me know if I missed anything, I'm really open to a discussion, even public on this topic :) cheers! (and thanks for hexchat!) Gianfranco ---
signature.asc
Description: OpenPGP digital signature