Hi Thijs, thanks for you to participate in the discussion. I have seen that you and Moritz has been the persons who had been active in mantis bug fixing.
Thijs Kinkhorst wrote: >> It makes me somehow angry that i invested so much work in bringing >> mantis back in a good shape, when people can block its release by just >> saying 'hey it had a bad history'. > > You did not add here that the first result of this work only entered > Debian a couple of weeks ago. While I do value the fact that you've been > fixing up the package, the few weeks do not give much time to get a > reliable indication of whether the package has made a radical change. Hmm.. yeah. I accept this argument. Unfortunately i will have to accept it. Lets say: I just missed the right point in time to adopt mantis. >> Given the information by Moritz that >> it had 21 vulnerabilities it should be worth to mention that almost 50% >> of the bugs I've seen affected almost dusty versions of mantis that are >> *far* away from the current release. > > I'm sorry, but I do not buy this. I've fixed a large number of bugs in > the sarge version of Mantis. The sarge version is 1.5 years old. That > can hardly be called "far away" or "dusty", can it? The reason why i call the sarge release dusty is not because of its age in years. Its because of the fact that the sarge release shouldn't have been released as it is. It would have been a release were i would have totally agreed to block it for release. But that did not happen. Instead Sarge was shipped with a full-of-bugs (not only security related, but related to packaging) mantis package. Now we try to fix mistakes of the past, if we block the current mantis package from etch. But that will not help much, for the trust the Debian users who wanted to use a mantis Debian package lost. > Please provide it then. I do not think it's convincing to use arguments > like "it was just dusty" to support your point. Debian had the most > recent version of mantis when sarge released. This didn't seem to be > quite immune from vulnerabilities. Well actually you are right. Just saying "its dusty" isn't right. My fault. But see my above comments about the sarge release. It wasn't suitable for the company i work in, and if you have a close look at the bug reports, other people stuck on the same problems. Thats a good indication that it wasn't in release quality. Even that it wasn't in any half-good quality at all. It was dangerous to ship such a broken package in a stable distribution and *that* is IMHO the main reason, why it has a low user base according to popcon. > But this goes for any other package aswell - the point is that these > numbers can be seen in a relative way: there's a lot of packages that > have way higher numbers. The security team only has a fixed amount of > time available to support them. If a package has an exceptionally high > amount of work compared to a relatively low usage number, this can be a > valid argument. I will stop here on without arguing about popcon, that its a comparisons between apples and bananas, that someone should note that mantis 0.19 were not installable for a lot of people, etc. But just one thing: Have a look at the upstreams bugtracker and the sponsors list. I don't think that this says: Mantis has a poor userbase, but: Debian is not able to provide us with a proper package of mantis, so we don't use there mantis packages. > But that *does* require concrete evidence that something has indeed > changed. Especially if you're requesting something like this *very* > shortly before the release, with little time to revert any mistakes. Yes, you are right. Currently is not the right time to make mistakes, cause we can't revert them in time. But what if blocking mantis from stable would be a mistake? I'm sure it is, even though i understand your arguments and will finally accept them. Off course this removal from etch will be a loose of trust at the remaining 40 people using Debian's mantis packages. But at least they will have the choice to use mantis/unstable or mantis from the backports. > It's up to you now: show why mantis deserves the second chance, and why > it's essential that it deserves it, at this point, instead of e.g. for > Lenny. Personally I've thought this point over. But i will not be able to change your minds until a release of etch. So i will resign and accept your arguments and your doubts and will not discuss further. Until the next release of Debian I will try to keep mantis packages as up-to-date as possible and then we will hopefully re-integrate it. Greets Patrick
signature.asc
Description: OpenPGP digital signature
