Bug#614509: Taking over maintenance of the viewvc package?

Sun, 08 Jun 2014 23:21:26 -0700 

On 6/8/14, 2:26 PM, John Zaitseff wrote:
> Dear David,
> 
>>> It is somewhat disheartening to see a bug that I've opened in
>>> 2011 still unchanged in status---even though I've provided
>>> solutions over the years.  The last time the maintainer, David
>>> Martínez Moreno, made a release was in 2010.
> 
> I realise that the tone of what I wrote could be interpreted as
> being somewhat combative; I did not intend to come across that way.
> I _am_ grateful that you have packaged ViewVC in the past.
> 
> What worried me is that there were many vulnerabilities patched
> between version 1.1.5 (in Debian) and 1.1.22 (current) that I think
> did not make it into the Debian package---and so I've been packaging
> it at least for myself, to protect my own servers...

        Hello, John.

        I totally understand it.  Just for your peace of mind I've been 
reviewing the
CVE database as part of the new release and there's no public vulnerabilities
with an assigned CVE that we know of.

        And don't worry about your tone.

[...]
>> As you can imagine I do not want this to keep happening.  I am now
>> going through your changes but I don't see a lot of new things now
>> as the last time (for 1.1.5).  I'm still cleaning the tarball and
>> the bitrot that accumulated over time, but I hope to have finished
>> by tomorrow.
> 
> No, there wasn't much that needed to be changed in the debian
> directory, as far as I remember.  And most of the changes in the
> upstream code itself were for either vulnerabilities or for bug
> fixes.  The rate of development of ViewVC has also slowed down these
> days...

        Yes, it's very slow, only cmpilato makes changes and people report 
things from
time to time but it's not like 5 or 10 years ago.

        Anyway I gave viewvc's Debian scripts a much-needed rewrite and now 
they're
simpler and up to date with current standards.  Take a look.

> And I think most SVN die-hards might eventually move over to Git
> anyway :-)

        That is true.

        I'm putting my pre-release packages in http://people.debian.org/~ender, 
so if
you like and have the time, I'd appreciate if you can test them to make sure I
didn't make any obvious mistake.  Also you can try the FCGI binaries if you
want. :-)

        Take care,


                Ender.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to