Bug#811069: ITP: lbfgsb -- Limited-memory quasi-Newton bound-constrained optimization
On Mon, 2016-01-18 at 13:29 +0100, Gard Spreemann wrote: > I'm sorry, I seem to have spoken too soon. Most of these are the > incompatible, older version 2 of L-BFGS-B. An exception is > python-scipy, which really does bundle version 3 (with minor trivial > patches). Please still report them to the security team and pursue getting them ported to the latest version and the embeds removed upstream. > I have now contacted upstream and notified them of some of these > things, including prebuilt binaries, some metadata mess and some > missing copyright notes. Great, thanks. When contacting upstream, you may want to point them at this: https://wiki.debian.org/UpstreamGuide -- bye, pabs https://wiki.debian.org/PaulWise signature.asc Description: This is a digitally signed message part
Bug#811069: ITP: lbfgsb -- Limited-memory quasi-Newton bound-constrained optimization
Hi Paul, and thanks for your feedback! On Sat, 16 Jan 2016 22:28:50 +0800 Paul Wisewrote: > On Fri, Jan 15, 2016 at 7:52 PM, Gard Spreemann wrote: > > > A search on codesearch.debian.net reveals that at least the following > > packages in Debian bundle duplicates of the code: > > - python-scipy (see also #778635) > > - vxl > > - nwchem > > - plastimatch > > - psi4 > > > > I believe that Debian should provide lbfgsb as a standalone library, > > as it is useful in its own right and its presence could lead to code > > deduplication in the future. > > Please report these to the Debian security team so they can record the > info in their metadata: > > https://wiki.debian.org/EmbeddedCodeCopies I'm sorry, I seem to have spoken too soon. Most of these are the incompatible, older version 2 of L-BFGS-B. An exception is python-scipy, which really does bundle version 3 (with minor trivial patches). > > Note that upstream's tarball > > (http://users.iems.northwestern.edu/~nocedal/Software/Lbfgsb.3.0.tar.gz) > > contains a few prebuilt binaries, and is also a minor tarbomb. > > Ick, that is something that needs fixing upstream. I have now contacted upstream and notified them of some of these things, including prebuilt binaries, some metadata mess and some missing copyright notes.
Bug#811069: ITP: lbfgsb -- Limited-memory quasi-Newton bound-constrained optimization
On Fri, Jan 15, 2016 at 7:52 PM, Gard Spreemann wrote: > A search on codesearch.debian.net reveals that at least the following > packages in Debian bundle duplicates of the code: > - python-scipy (see also #778635) > - vxl > - nwchem > - plastimatch > - psi4 > > I believe that Debian should provide lbfgsb as a standalone library, > as it is useful in its own right and its presence could lead to code > deduplication in the future. Please report these to the Debian security team so they can record the info in their metadata: https://wiki.debian.org/EmbeddedCodeCopies > Note that upstream's tarball > (http://users.iems.northwestern.edu/~nocedal/Software/Lbfgsb.3.0.tar.gz) > contains a few prebuilt binaries, and is also a minor tarbomb. Ick, that is something that needs fixing upstream. > Upstream seems very inactive in the sense that the code appears to be > "done". I have maintained a package for personal use since 2013 and > have never experienced problems. I thus feel I could handle maintaing > the package also for a wider user base going forward. You might want to check it over using check-all-the-things (in experimental), that will probably show some things that need polishing. You might also want to suggest that upstream put their code in a VCS repository and read our upstream guide. https://wiki.debian.org/UpstreamGuide -- bye, pabs https://wiki.debian.org/PaulWise
Bug#811069: ITP: lbfgsb -- Limited-memory quasi-Newton bound-constrained optimization
Package: wnpp Severity: wishlist Owner: Gard Spreemann* Package name: lbfgsb Version : 3.0 Upstream Author : Ciyou Zhu, Richard Byrd, Jorge Nocedal, Jose Luis Morales * URL : http://users.iems.northwestern.edu/~nocedal/lbfgsb.html * License : BSD-3-clause Programming Lang: Fortran Description : Limited-memory quasi-Newton bound-constrained optimization The library is a widely used implementation of a bounded, limited-memory BFGS algorithm. A search on codesearch.debian.net reveals that at least the following packages in Debian bundle duplicates of the code: - python-scipy (see also #778635) - vxl - nwchem - plastimatch - psi4 I believe that Debian should provide lbfgsb as a standalone library, as it is useful in its own right and its presence could lead to code deduplication in the future. Note that upstream's tarball (http://users.iems.northwestern.edu/~nocedal/Software/Lbfgsb.3.0.tar.gz) contains a few prebuilt binaries, and is also a minor tarbomb. Upstream seems very inactive in the sense that the code appears to be "done". I have maintained a package for personal use since 2013 and have never experienced problems. I thus feel I could handle maintaing the package also for a wider user base going forward. I would need a sponsor.