On 03/04/2018 05:26 PM, Jeremy Bicha wrote: > 1. "in the maintainer's opinion, makes the package unsuitable for release" [1]
Didn't you say there is no longer an upstream maintainer? Please note we have had similar cases with other packages where the maintainer of a forked project or the original project was attacking the fork or vice versa. This alone isn't an argument. > 2. "introduces a security hole on systems where you install the packages" [2] That's why I was specifically asking for a particular issue you are seeing with the bug. Again, the maintainer of the fork ranting alone is not a justification enough. > 3. Multiple copies of the same code base [3] There are so many other multiple copies of code in Debian (i.e. xemacs21) that this single leaf package doesn't really make a difference. > 4. Although not specified in Debian Policy, I believe the Debian > Project generally does not wish to see "unmaintainable" software in > Debian, especially if there are maintainable alternatives. I don't see how this package is unmaintainable. Do you think that Gianfranco is not up to the job to take care of a simple package like xchat? Are we now questioning the skills of each other in public? > 5. I'm definitely nitpicking here, but the new Debian maintainer did > not completely follow the Developers Reference practice for > re-introducing a package by filing an ITP and CCing debian-devel. [4] > Therefore, in my opinion, the Debian project never collectively agreed > to xchat's reintroduction to Debian. Yes, you are nitpicking. Because the Debian Project doesn't have to give their consent to let a package in the archive. That's the job of Debian's FTP masters. >> I don't think a rant posted on reddit by the author of a fork >> is justified enough to ask for a package to be removed from >> the archive. > > The author posted his opinion to his personal blog and did not > directly start the reddit discussion. Also, that author is the subject > matter expert here and I think we should give due deference to his > understanding of the security issues present in xchat for which he did > not seek CVE designations. If he is an expert, why didn't he even bother posting a single valid example where xchat is insecure and posing a risk to its users. If there are valid vulnerabilities, it shouldn't a problem to list them. >> As long as there aren't any serious policy or security issues, >> Debian usually doesn't impose any limitations on what packages >> get maintained in the archive and which not. > > Yes, I'm well aware of your position since I've read the reddit discussion. > > However, your characterization of Debian's practice is inaccurate. For > instance, I'm helping to remove hundreds of packages from Debian right > now. The packages often are maintained more or less in Debian but have > had no upstream development for years. [5] Wasn't there recently a discussion on debian-devel that was started that people were complaining about packages getting removed way too quickly? I really don't think that your reasoning is acceptable. None of the the points you mentioned above list actual problems. Both you and the maintainer of the fork fail to list any actual vulnerabilities. And, to be honest, I would find it more constructive to take care of packages like mozjs52 which have are far more important than a leaf package like xchat yet they haven't seen any fixes and uploads for months with bug reports remaining unanswered. Thanks, Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `- GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913
