control: severity -1 important control: clone -1 -2 control: reassign -2 src:hexchat control: retitle -2 hexchat: current upstream maintainer is fixing security bugs without disclosing them, making hexchat completely unsafe for stable releases
Hello, (I'm cloning based on the fact that new upstream hexchat maintainer is not disclosing security bugs, see the last line of my answer) (please note, as a *current* maintainer, I think this shouldn't be RC, unless somebody points out *real* issues to the package.) >1. "in the maintainer's opinion, makes the package unsuitable for release" [1] this is a complete non-sense. the Xchat that has been removed is really different from the one that is currently in testing, it has been patched for all the outstanding security vulnerabilities, packaging has been redone mostly from scratch, I fixed a lot of bugs, and added a lot of patches. Sorry, but the previous maintainers filed an RM bug for a package that is completely different from the actual one. >2. "introduces a security hole on systems where you install the packages" [2] pics or didn't happen, you are *all* speculating here. >3. Multiple copies of the same code base [3] I disagree even here, the fork is now a lot different from the original code, even cherry-picking patches is becoming difficult right now, but the codebase of xchat is even smaller (I didn't check this claim). >4. Although not specified in Debian Policy, I believe the Debian >Project generally does not wish to see "unmaintainable" software in >Debian, especially if there are maintainable alternatives. Maintainable, unless you prove me wrong. It had 6 uploads with patches in the last 6 months, I wouldn't say "unmaintainable". (one was done by security team, using my patches to patch stable, so this has been even a good chance to fix older systems) Please, point out real issues, not something "read over the internet". >5. I'm definitely nitpicking here, but the new Debian maintainer did >not completely follow the Developers Reference practice for >re-introducing a package by filing an ITP and CCing debian-devel. [4] >Therefore, in my opinion, the Debian project never collectively agreed >to xchat's reintroduction to Debian. to be honest, this is the real good issue over the whole discussion. I have been asking some friend DDs about this point, and I don't really think we have a good policy for such cases, it would be nice to write one down, because I don't know the policy applies here. >The author posted his opinion to his personal blog and did not >directly start the reddit discussion. Also, that author is the subject >matter expert here and I think we should give due deference to his >understanding of the security issues present in xchat for which he did >not seek CVE designations. he started the reddit discussion, after commenting on another thread, with a completely unrelated topic [1] [1] https://www.reddit.com/r/linux/comments/8158na/appimagehub_crowdsourced_central_appimage/?st=je9p019d&sh=5ecc7dd3 >Yes, I'm well aware of your position since I've read the reddit discussion. >However, your characterization of Debian's practice is inaccurate. For >instance, I'm helping to remove hundreds of packages from Debian right >now. The packages often are maintained more or less in Debian but have >had no upstream development for years. [5] Ok, so what about integrating patches, fixing two more bugs and then releasing a new upstream tarball? would that make you stop asking to remove maintained packages? I don't think this can actually make things better, but meh, I really don't get how this discussion can continue, based only on assumptions, and not facts. (seriously, we have a lot of software, and I'm not contrary on removing old stuff, but *please* point me issues, not speculations). Right now this bug is non-sense. BTW: people had more than "400 comments on reddit" about some well known init system, did you file a removal bug for it too? talking about something is not really. and last thing: if the hexchat maintainer, has fixed security bugs without disclosing them, this would make everybody running stable unsecure by definition. Lets move the discussion also on hexchat then. cheers, Gianfranco
