Control: tag 890756 + moreinfo Control: tag 890119 + moreinfo On Feb 18 2018, Nicolas Braud-Santoni wrote: > Package: sponsorship-requests > Severity: normal > Control: block 890119 by -1 > Control: tag 890119 + pending > Control: tag -1 + security > > Hi,
Hi, Nicholas. There's no need to rush with any upload, as I am going to take care of that myself. BTW, we had, essentially, a whole week of extended holidays here in Brazil during this week (Carnival), which was the reason why I had not replied earlier (poor connectivity etc.). > I'm looking for a sponsor for this NMU against youtube-dl. I am not a security expert (I only have a day-to-day, working knowledge of security), so I don't really know enough to be able to disagree with your assessment of the situation, but the upstream maintainers have a reasonably good (and are famed) for being security-minded and/or crypto experts. > It removes youtube-dl's built-in autoupdate mechanism, whose security > is unclear and which is defunct on Debian anyhow (see #890119 for details). I am OK (not super happy, but OK) with the removal of the --upgrade option of youtube-dl, *BUT* I think that removing it completely and giving the users that try to invoke the command with that option something like "option not recognized" is a poor user-experience. We should, *IF* we remove the option, substitute it with an output saying that in Debian (and other derived distributions) we have disabled that option. Not having this will make users confused, since it would deviate from the behavior of upstream. Speaking as a user (not as the maintainer) of youtube-dl, that's something that I would expect from *any* Debian package: document conspicuously the differences between the package that we have in Debian and what upstream offers. Ideally, we should propose something better for upstream, even if we don't end up using it in Debian itself. > @Rogério: This exactly adds the patch I sent to the packaging repository in > https://github.com/rbrito/pkg-youtube-dl/pull/2 > However, since the state of the packaging repository is inconsistent > with what is in the Debian archive, you will need to push to the > repository, merge my PR, and then manually grab the updated > changelog. Yes, I have not yet taken the time to migrate things to salsa.debian.org. I will do as soon as I get familiar with the needed changes. I will post the comments above as a review on your pull request... > The updated version of the package is available on mentors.d.n : > > https://mentors.debian.net/package/youtube-dl > > https://mentors.debian.net/debian/pool/main/y/youtube-dl/youtube-dl_2018.01.27-1.1.dsc > > > Note that there are 2 minor issues in the package that I did not change: > - The package still uses dh 10 > I have no idea whether the maintainer wants to switch to dh 11 That's on purpose/intentional, to ease backporting for people that don't have a debhelper so recent. Actually, the main functionality of the resulting program will not change that much with a newer debhelper, which means that the change will be only a formal change, AFAICS... > - groff throws a warning on the youtube-dl(1) manpage (lintian tag > manpage-has-errors-from-man), but I believe this is out of scope for this > NMU. This problem has been communicated upstream and we reached the conclusion that it is a problem with pandoc... All that being said, I will upload a new version of youtube-dl during the next few days... Regards, Rogério Brito. -- Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br