Bug#986709: rsnapshot is stable, not dead

[Michael Lustfield]

Note: This is a general response, not meant to address rsnapshot specifically.

On Thu, 30 Sep 2021 19:24:43 -0400
John Brooks  wrote:

> [...]
> And that's about where my ability to contribute usefully ends. My belief 

My offer to mentor prospective debian maintainers stands. I might not be the
bestest teacher, but I can also teach people where to find smarter people to
teach smarter things. ;)


> that the Debian organization and its contributors are generally 
> intelligent and sensible leads me to believe that you and the QA team 
> have good reasons for removing the package, even if I don't understand them.

If you want to continue believing this, I encourage you to avoid any open
source development, especially WRT distributions. :P

Seriously, though... we're all just humans driven by various motives. Although
rare, changes like this /do/ sometimes come with malice. Other times it's best
of intentions, and sometimes those intentions are flawed.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964139
https://www.theverge.com/2021/4/22/22398156/university-minnesota-linux-kernal-ban-research
https://www.theregister.com/2021/06/16/debian_11/
https://arstechnica.com/information-technology/2015/05/debian-8-linuxs-most-reliable-distro-makes-its-biggest-change-since-1993/
^ one of these clearly intends to do harm

[ moving back to rsnapshot ]

> [...]
> Debian package. The only bug of "serious" severity classification is 
> this one. But when my uninformed assessment is at odds with an actual 
> Debian maintainer, I have no choice but to assume that there is an 
> important factor which I am blind to.<<

There are definitely options; I'm just one person with an opinion. It's
entirely possible all of my previous reasoning has been permanently fixed and
I'm just too jaded to see that. If such a scenario were to be our present case,
then it would be very easy for someone else to just hop in, grab this, and
maintain (own) it indefinitely (... or until such time it must be retired).

  ^ This could be you, anyone that commented on this thread, etc.

If, however, my $super_notsosecret reasoning still holds water,
then... that won't be so easy and it becomes a self-solving problem.

>>I understand that it's not your 
> responsibility to teach me just to satisfy my idle curiosity, so we can 
> leave it at that.

It's actually very difficult for me to not launch into a long-winded rant, so
thank-you for prompting me to provide this additional explanation.

Cheers,
-- 
Michael Lustfield

Bug#986709: rsnapshot is stable, not dead

[Michael Lustfield]

On Fri, 1 Oct 2021 16:26:58 +0200
Dirk Heinrichs  wrote:

> [...]
> Esp. when compared to dirvish (see my previous mail), which is
> unmaintained for 16+ years, but still available in bullseye. What's the

See my note about whataboutisms and strawman arguments
... and thanks for highlighting a perfect example.

Bug#986709: rsnapshot is stable, not dead

[Michael Lustfield]

On Sun, 26 Sep 2021 13:49:36 -0400
John Brooks  wrote:

> [...]
> Michael,
> 
> I think it is important that you clarify or modify your stance given 
> that upon further inspection by others here, there are no serious 
> outstanding functional or security issues with the program. Even 
> self-asserted justification (i.e. "I just don't want to maintain it 
> anymore, so find someone else") is acceptable; that is your right as a 
> volunteer. But it would have been prudent to either defend your initial 
> assessment of the program as no longer suitable for inclusion, or 
> acknowledge that you may have been incorrect. Otherwise the issue is 
> just stuck in limbo.
> 
> Additionally, in response to this very bug, a new upstream release has 
> now been issued. In light of this, do you plan to upload the new version 
> and continue to fill the role of maintainer for the rsnapshot Debian 
> package, or is another maintainer still needed going forward?
> 
> I don't seek to impose anything upon you, I just want to see that this 
> doesn't fall through the cracks.
> 
> Thanks
> John Brooks

So... My first response was a wordier version of the message you replied to,
emphasizing the bit where my opinion is moot. What's written below is as much
as I'm willing to dip back into #debiandrama. While reading, please remember
this point (and don't expect further response).


My original request was for a removal, which is a stance I whole-heartedly
still stand by, and which draws from experiences after adopting the package. A
removal like this is basically orphan++ ("I'm afk4eva" vs. "bad package"). That
changed slightly with zeha's bug modifications, but the effect is still largely
the same, with a touch of stability added. (Thanks zeha!)

(sensible action, but likely helps with that "limbo" perception?)
  ^ https://tracker.debian.org/pkg/rsnapshot

side note --

  > Additionally, in response to this very bug, a new upstream release has 
  > now been issued. In light of this, do you plan to upload the new version 

  You very correctly point out that a number of fixes and a new release came
  directly in response to certain actions. Unfortunately, we draw very different
  conclusions. (a hint, perhaps?)


I appreciate that you responded to that particular (#30) message of mine, where
I say that I don't intend to stand in anyone's way, and offered to help anyone
interested in package maintenance, while also maintaining my position. This is
important to me because some people have indeed taken a stab at rsnapshot
maintenance; however, they very quickly disappeared when they learned that it
would require more effort than just slapping an updated tarball onto the
packaging.

> and continue to fill the role of maintainer for the rsnapshot Debian 
> package, or is another maintainer still needed going forward?

^ "continue" stopped at the RM-RoQA (note: this tag was not an accident)

The root of why I claim how I feel does not matter is because the end result is
the same. The only thing that's required to override my (strong) opinion is for
someone to pick it up, understand it well enough to confidently claim it's
ready for release (start w/ debian bugs), and that'll be the end of this thread.

Bug#986709: rsnapshot is stable, not dead

[Michael Lustfield]

On Fri, 28 May 2021 19:56:47 +0100
David Cantrell  wrote:

> [...]
> So what, exactly, is unmaintained about it? Looks to me like it has 
> exactly the amount of maintenance that is required for mature software.

I'm not going to strawman my justifications; it's not terribly relevant anyway.
Absolutely anyone is free to disagree with me and continue maintenance of the
package. If needed, I'll even sponsor the upload.

https://mentors.debian.net/intro-maintainers (read 1-2, start at 3)

Bug#986479: RM rsnapshot -- RoM; RoQA; no longer maintained by upstream

[Michael Lustfield]

Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: mtecknol...@debian.org

Despite the very occasional upstream commit/merge, the current upstream project
owner has made it clear (via email, issues [1], and action) that they don't
intend to maintain this project. The last upstream release was in 2019 and they
have indicated they don't plan to make any new releases.

This project is essentially dead and no longer suitable for inclusion in the
Debian archive... or for use on any system. This package should be removed and
anyone who was using it should find an alternative solution.

[1] https://github.com/rsnapshot/rsnapshot/issues/191#issuecomment-562460327

Thanks,
-- 
Michael Lustfield


pgpakgEMzhXAL.pgp
Description: OpenPGP digital signature

Bug#955001: (no subject)

[Michael Lustfield]

I'd be happy to, but it doesn't look like this will ever get reviewed/included.

TBH- I actually forgot about this upload because it's been half a year. If
it's still pending the next time I look at it, I'll probably request it's
rejection and close this bug. :/
-- 
Michael Lustfield

Bug#956287: (no subject)

[Michael Lustfield]

I did not notice that the .so and .exe files were strictly test input. This
makes perfect sense and I agree with your refutal.

Bug#956268: (no subject)

[Michael Lustfield]

Control: reopen 956268

Thank-you for taking the time to address this issue. Although your changes to
d/copyright may accurately reflect the source package for 1.22.2, this bug was
filed against 1.25.0. This version of the package has not received an update to
d/copyright.

Unfortunately, (assuming correctness in 1.22.2) the same d/copyright will not
correctly represent the 1.25.0 source package.

Bug#956268: (no subject)

[Michael Lustfield]

Control: severity -1 serious

This is a policy violation, which constitutes as serious bug. You should stop
incorrectly changing this to a lower severity and fix it with your next upload.


The license recently mentioned states:
  The above copyright notice and this permission notice shall be included
  in all copies or substantial portions of the Software.

The other files I identified have similar issues with different copyright
holders and different licenses.

Bug#956288: Problems identified in debian/copyright

[Michael Lustfield]

Package: dracut
Version: 050+31-1
Severity: serious

I noticed that this package appears to have some issues with debian/copyright.

The first copyright paragraph is missing 'Files: *'.

There is a duplicate 'debian/*' paragraph (merge the copyright holders).

An alternate copyright is mentioned in modules.d/90lvm/*.rules. (note: RH
employee) Although it's nice you noticed the extra Redhat copyright mentioned in
install/dracut-install.c, it's worth noting that this name shows up on many
others.


This project appears to have been driven primarily by Harald, but sponsored (on
the clock) by Redhat. Per US law (where RH is based), Red Hat, Inc. holds the
legal copyright to most of the source presented here. The extra names wouldn't
hold up in court.


Please consider the following proposal.

Files: *
Copyright:
  2008-2012, Red Hat, Inc.
  2012, Harald Hoyer 
  2008, Jeremy Katz 
License: GPL-2+

Files: debian/*
Copyright:
  2009, Philippe Seewer 
  2011-2020 Thomas Lange 
License: GPL-2+

Files:
  install/hashmap.* install/log.*
  install/macro.h install/util.*
Copyright: 2010 Lennart Poettering
License: LGPL-2.1+

License: GPL-2+
  [...]



If you need further clarification, please don't hesitate to ask.

Bug#956289: Problems identified in debian/copyright

[Michael Lustfield]

Package: mpich
Version: 3.4~a2-3
Severity: serious

I noticed that this package appears to have some issues with debian/copyright.

A copyright is missing for:
- src/hwloc/*
- src/izem/*
- src/mpi/romio
- probably more... (I did not look at every subdirectory.)

There is also a copyright paragraph for contrib/knem/, which is unused.

There are also some Lintian warnings which would be beneficial to look at.

If you need further clarification, please don't hesitate to ask.

Bug#956286: Problems identified in debian/copyright

[Michael Lustfield]

Package: folks
Version: 0.13.2-2~exp1
Severity: serious

I noticed that this package appears to have some issues with debian/copyright.

Missing copyright holders:
- Philip Withnall
- Intel Corporation
- Canonical Ltd.
- Renato Araujo Oliveira Filho
- Red Hat, Inc.
- Will Thompson
- Zeeshan Ali (Khattak)
- There may be more.

If you need further clarification, please don't hesitate to ask.

Bug#956287: Problems identified in debian/copyright

[Michael Lustfield]

Package: llvm-toolchain-snapshot
Version: 11~++20200307074845+ec1d1f6ae70-1~exp1
Severity: serious

I noticed that this package appears to have some issues with debian/copyright.

Binary data exists with no indication that it can be rebuilt from source:
- lldb/unittests/ObjectFile/ELF/Inputs/early-section-headers.so
- lldb/unittests/Target/Inputs/TestModule.so
- soo many *.so files
- also many *.exe files
- Note: Test data is *not* excluded from DFSG.

These have a copyright/license that is not represented in d/copyright:
- lib/External/{many}
- llvm/utils/unittest/googletest/*
- llvm/utils/unittest/googlemock/*
- llvm/test/YAMLParser/*
- clang/lib/Headers/cuda_wrappers/*
- llvm/include/llvm/Support/MD5.h
  + Note: pseudonyms don't need to be represented; "2001 Alexander Peslyak
"
- clang/lib/Headers/:
  + avx512vlvp2intersectintrin.h
  + avx512vp2intersectintrin.h
- Note: This is not an exhaustive list.

libcxx/* indicates the wrong license *and* omits a copyright holder. (just
delete that paragraph) The same applies to polly/tools/GPURuntime/; it is
correctly represented when the paragraph is deleted).

clang/lib/Headers/* is represented as using Expat; this is not correct.

Multiple copyright blocks are mentioned for source that does not exist:
- lib/Support/reg*
- lldb/test/unittest2/*
- polly/lib/JSON/*
- test/YAMLParser/*
- utils/unittest/googletest/*

Note: If `polly/lib/JSON/` existed, "fixme" would have been unacceptable. It
should have copied LICENSE.txt.


Although not critical, the machine-readable copyright spec expects license
texts to either be with that paragraph or as an entirely unique paragraph. In
this case, it applies to BSD-3-Clause, expat, and u-of-i-bsd-like. Please see
missing-license-paragraph-in-dep5-copyright for additional information.

Also, it is not required to use four separate paragraphs;
"compiler-rt/lib/BlocksRuntime/*" is sufficient.

It is also possible to combine files:

Files:
  compiler-rt/lib/BlocksRuntime/*
  lldb/tools/debugserver/source/MacOSX/stack_logging.h
Copyright: 1999-2007 Apple Inc.
License: Apple


If you need further clarification, please don't hesitate to ask.

Bug#956284: Problems identified in debian/copyright

[Michael Lustfield]

Package: polybar
Version: 3.4.2-1
Severity: serious

I noticed that this package appears to have a minor issue debian/copyright.

lib/i3ipcpp/3rd/auss/* is missing a reference for Unlicense.

FWIW- Most jurisdictions have very strict copyright laws and do not permit
authors to relinquish material as "public domain," hence the Unlicense license.
This /is/ a license and must be correctly represented in d/copyright.

If you need further clarification, please don't hesitate to ask.

Bug#956285: Problems identified in debian/copyright

[Michael Lustfield]

Package: libtorrent-rasterbar
Version: 1.2.5-1
Severity: serious

I noticed that this package appears to have some issues with debian/copyright.

Missing from d/copyright:
- cmake/Modules/ucm_flags.cmake
- build-aux/
- ed25519/
- include/libtorrent/aux_/cppint_import_export.hpp
- include/libtorrent/aux_/ffs.hpp
- include/libtorrent/aux_/
- include/libtorrent/extensions/ut_pex.hpp
- include/
- src/

src/ConvertUTF.cpp does not meet DFSG and cannot be part of the uploaded package

Note: The usage of "* *.cpp *.hpp docs/*.rst docs/*.html" seems cumbersome.
A single "Files: *" could appear at the top indicating the top-level
license/copyright. Subsequent paragraphs are for files that do not match the
first.

If you need further clarification, please don't hesitate to ask.

Bug#956268: Problems identified in debian/copyright

[Michael Lustfield]

Control: severity -1 serious

src/lib/codemirror has
Copyright (C) 2017 by Marijn Haverbeke  and others
This person is not mentioned in debian/copyright.
This files is NOT GPL-3+.


This is not a problem with my understanding of the format, this is a problem
with an incomplete debian/copyright file.

Bug#956268: Problems identified in debian/copyright

[Michael Lustfield]

Package: ublock-origin
Version: 1.25.0+dfsg-1
Severity: serious

I noticed some issues with debian/copyright in this package.

Missing from d/copyright:
- uAssets/thirdparties/hosts-file.net/*
- uAssets/fisters/annoyances.txt
- src/img/fontawesome
- src/js/codemirror
- src/lib/codemirror
- src/lib/publicsuffixlist
- src/lib/punycode.js


Note-1: I believe annoyances.txt is meant to be GPL-3+.
Please consider contacting upstream for clarification.

Note-2: Rather than specifying each file, using globs on
"thirdparty/$location/*" would probably easier for you to maintain.

Note-3: Why are there changelog copies in debian/upstream?

Bug#955001: ITP: spdx-license-text -- Collection of license data provided by SPDX

[Michael Lustfield]

Package: wnpp
Severity: wishlist
Owner: Michael Lustfield 

* Package name: spdx-licenses
  Version : 3.8
  Upstream Author : SPDX Workgroup
* URL : https://github.com/spdx/license-list-data
* License : public-domain
  Programming Lang: text
  Description : Collection of license data provided by SPDX Workgroup

  SPDX License Text provides a collection of license data (text, meta, etc.)
  assembled by SPDX Workgroup, a Linux Foundaition Project. This includes all
  of the most common licenses as well as many not-so-common and deprecated
  licenses.

-- 
Michael Lustfield

Bug#952855: ITP: razercommander -- GTK contol center for managing Razer peripherals

[Michael Lustfield]

Package: wnpp
Severity: wishlist
Owner: Michael Lustfield 

* Package name: razercommander
  Version : 1.2.1.1
  Upstream Author : Gabriele Musco 
* URL : https://github.com/GabMus/razerCommander
* License : GPL-3.0
  Programming Lang: Python-3
  Description : GTK contol center for managing Razer peripherals

 GTK control center for managing peripherals on Razer hardware.
 .
 Supported hardware:
 - Keyboards
 - Macro keypads (Tartarus, Orbweaver)
 - Mice
 - Laptops (keyboards only)
 - Headsets (possibly, untested)
 - Mousepads (Firefly)

There are many nearly-completed attempts to package this utility. This looks
like it should be quick and easy.

-- 
Michael Lustfield


pgpT2ELCAiWSj.pgp
Description: OpenPGP digital signature

Bug#949173: packages.debian.org: robots.txt doesn't actually block anything

[Michael Lustfield]

On Sat, 18 Jan 2020 01:14:02 +
Paul Wise  wrote:

> On Fri, Jan 17, 2020 at 6:57 PM Adam D. Barratt wrote:
> 
> > which is effectively the same as allowing everything. "Disallow: /"
> > might be more logical, unless there is a desire / requirement to allow
> > crawling and indexing of (parts of) the site.  
> 
> I expect we want to allow crawling the site, all of the pages are
> public and most of them are useful for search engines to index.

+1 This is something I've found very helpful and convenient. I could survive
without those pages being indexed by search engines, but I'd prefer not.

Would it be helpful to disallow certain pages, such as */download?

This is random, but I noticed that the "Tags" link on package pages links to
debtags.alioth.debian.org/edit.html, which no longer exists.

Bug#874880: FreeMedForms projet

[Michael Lustfield]

It looks like this bug went from "Qt4->Qt5" to "no longer DFSG-free."

On Fri, 10 Jan 2020 17:34:35 +0100
Eric Maeker  wrote:

> Oh! There is a misunderstanding here!
> Let me correct my words:
> -> full code of each stable released version is packaged and freely  
> available (but undocumented since v1.0.0).

From: https://freemedforms.com/en/downloads/root

"Downloads are 100% compatible with the Debian social contract."

From: https://freemedforms.com/fr/downloads/root (translated)

"Since v1.1.0, some files are available under a license incompatible with
the social contract of Debian . If you are looking for software 100%
compatible with this contract, please refer to v1.0.0."

Without digging in too deep...
- You mentioned documentation removal in 1.0.0
- This page mentions DFSG-freeness was broken in 1.1.0

If these were two distinct periods of time, that would lead me to suspect
additional files were added that broke compatibility with the DFSG.

> We know that at least two forks exists (this is what our private data
> server's log tells us). We do not receive any patch, invitation to git
> repos, or any kind of official informations or queries.

This could definitely be a language barrier problem, but I don't follow. Why
are you concerned about forks? If you have quality open source software, then
people will fork it. Sometimes patches will be sent back upstream, other times
they won't be.

Take a look here: https://people.debian.org/~bap/dfsg-faq.html
Particularly at 9a (The Desert Island Test)

Demanding that all modifications be shared with you very clearly fails this
test, and is not actually part of the license you applied to the software.

> In consequence, we decide that our git repository will not be freely
> accessible. Approval does only concern the FreeMedForms' git and the
> ability to join the project as member (coder, tester, communication
> manager...).

It's probably worth noting, a public repository is recommended, but not
required for inclusion in Debian repositories. However, inclusion of source is
an absolute requirement.

This "documentation" that was removed seems to be much more than just developer
docs; I'm unable to find any non-header comments in any file.

If you look at how javascript is handled, any minified version is considered
compiled source. You are essentially doing the exact same to your source when
you release it. It's not the actual source... it's just some partial version of
it. In this case, with intentional obfuscation.



This could still make it into non-free, however, I'd urge you to reconsider
your motivations for releasing obfuscated source and refusing to share. Is it
really your desire to make software that's (per DFSG) not free?


-- 
Michael Lustfield

Bug#573254: (no subject)

[Michael Lustfield]

This was reported against 1.3.1, however 1.4.2 is available in oldstable. Can
you confirm if this issue is still present? If so, would you also be able to
also check against the latest git revision (many bug fixes are not released)?

-- 
Michael Lustfield

Bug#939427: rsnapshot adoption

[Michael Lustfield]

Gabriel,

Apologies- I missed your first line.

I finished with a fair bit of packaging clean up and officially adopted
rsnapshot. I'd be happy to co-maintain this package.

The packaging itself seems to be pretty straight-forward and easy to maintain.

I talked a little bit with upstream and they seemed very friendly and easy to
work with. Unfortunately, they're definitely lacking some manpower, which is
why rsnapshot hasn't seen a new release in a long time.

If you, or anyone else, are interested in helping with packaging or
(preferably) upstream, please let me know and I'll share some more details.

Cheers,
-- 
Michael Lustfield

Bug#939427: Plan To Adopt

[Michael Lustfield]

I don't see anything to indicate any problems with upstream. This appears to
just be one of many packages that gui orphaned.

I have a personal interest in this package and plan to adopt it.

-- 
Michael Lustfield (MTecknology)

Bug#928975: (no subject)

[Michael Lustfield]

When I first looked the source package, I only looked at d/copyright. Since I
didn't see Files-Excluded, and the upstream tarball didn't include '+dfsg' in
the name, I assumed the infringing files were not included.

Looking closer, I see that the files were actually removed, so this
source/package doesn't actually constitute a copyright violation, although this
is still a problem in upstream.

Moritz, would you be willing to include Files-Excluded: common/db-wrapper in
d/copyright and add +dfsg to d/watch? It looks like you're currently removing
the files manually and this method will help prevent future maintainers from
accidentally including these files. This also allows you to use uscan to
automatically remove the problematic files.

-- 
Michael Lustfield

Bug#928975: (no subject)

[Michael Lustfield]

After looking at the provided samples, I would agree that the similarity
between the two is too close to be a coincidence, especially considering the
timeline described/observed.

Without evidence to the contrary, I agree that this should be removed from
Debian. You should probably also file similar bugs with any other distro
(epel?) that may have a copy of software built from this source, as well as
with the upstream project itself. Depending on the result you get, you may
(hopefully not) find these resources helpful.

- http://gpl-violations.org/
- https://sfconservancy.org/about/
- http://www.softwarefreedom.org/about/contact/

-- 
Michael Lustfield

Bug#883872: (no subject)

[Michael Lustfield]

I forgot to mention- wildcards (?,*) are perfectly acceptable...

Files: protocols/oscar/*
Copyright: Adam Fritzler 
   Josh Myer 
   Daniel Reed 
   Eric Warmenhoven 
   Brock Wilcox 
License: LGPL-2.1

Files: lib/json.?
Copyright: 2012-2014, James McLaughlin
License: BSD-2-clause

Obviously it's not required, but I think it may be helpful in this scenario.

Bug#883872: (no subject)

[Michael Lustfield]

Control: reopen 883872

I still see a number of issues present...

- It implies all of the names listed hold copyright on most files
- "and others" & "et al." is not a valid copyright holder (upstream problem)
  + just omit these words from d/copyright
- protocols/oscar/* has 5 copyright holders (1 mentioned, 2 extra, 4 missing)
- protocols/twitter/* has two copyright holders (2 correct, 1 extra)
- protocols/ft.h is copyright by Marijn Kruisselbrink
- dcc.c is copyright by Uli Meis, not the others listed
- lib/proxy.c is copyright by ISC
- etc.

Although we pay little attention to specific years and permit some munging of
copyright holders, this copyright file still needs a bit of work.

... it would be nice if upstream didn't create such a mess.

If you start with Wilmer holding copyright on '*' (despite COPYING claiming
FSF), then further refining can be done with:
grep -iR copyright . | grep -Ev '(Wilmer|Lintux)'
Most others only have copyright on a small number of files.

Bug#883872: Bumping Severity

[Michael Lustfield]

severity: 883872 serious
thanks

We have confirmed that this is indeed a policy violation. Unfortunately, Sean's
message has gone without response for 20 days. In order to raise awareness and
find someone to correct these issues, I'm bumping the severity back up to it's
appropriate 'serious' status. With the policy violation confirmed, there is no
further need to change the severity.

To highlight a few of the files from the non-inclusive list in my original 
report:

- lib/ftutil.(c|h)
  Copyright: 2008 Uli Meis 
  License: GPL-2+
- lib/json.(c|h)
  Copyright: (C) 2012, 2013, 2014 James McLaughlin
  License: BSD-2-clause
- lib/Makefile
  Copyright: 2006 Lintux
  ^ If this is you, then this name should be corrected
- lib/ns_parse.c
  Copyright: 2004 by Internet Systems Consortium, Inc. ("ISC")
  Copyright: 1996,1999 by Internet Software Consortium.
  License: Expat


A machine readable format is not required, but I would recommend considering it
as it would make maintaining a proper documentation of copyright, and it's
subsequent reviews, much easier.

-- 
Michael Lustfield


pgphkmh1BwDPG.pgp
Description: OpenPGP digital signature

Bug#903156: RM: gitea -- RoM; FTBFS

[Michael Lustfield]

Package: ftp.debian.org
Severity: normal
Control: affects -1 gitea

Please remove the "gitea" package from contrib.

Reasoning:
- Any attempt to rebuild will result in a build failure
- It is severely out of date
- It has security bugs
- It has other functionality bugs
- It is currently orphaned (potentially a temporary status)
- It may or may not meet DFSG to the extent that contrib may be inappropriate
  (in it's current state, non-free seems more appropriate)
- It has never been stable enough to reach testing
- https://packages.qa.debian.org/g/gitea.html

-- 
Michael Lustfield


pgpHXS85hmv7E.pgp
Description: OpenPGP digital signature

Bug#895812: RFS: json-editor.js/0.7.28+ds-1 [ITP]

[Michael Lustfield]

I'm currently out of the country for a couple weeks and have no access to a
computer or my key.

At a cursory glance, I see no issues. When I return, if not uploaded, I'll
plan to do so.

Thanks for your efforts!

On Wed, May 16, 2018, 00:42 Joel Cross  wrote:

> Dear reviewers,
>
> I have uploaded a new version of json-editor.js, which addresses many of
> Paolo's concerns. It can be downloaded from
> https://mentors.debian.net/package/json-editor.js, and the git repository
> is available at https://salsa.debian.org/joelcross-guest/json-editor.js.
>
> -
> Joel Cross
>

Bug#894184: Gitea was Orphaned

[Michael Lustfield]

As is standard golang practice, dependency ABIs were changed within a single
git revision without any version bump (if any version existed at all). This
situation will produce build failures from any attempt to update the package. In
fact, I believe a number of dependencies have already been auto-removed from
Debian because of build failures.


You're argument that gogs would be better is 1) based on absolutely nothing but
your own personal opinion, 2) completely and utterly irrelevant, and 3)
continues proving how little you care about the DFSG. If I had continued
pursuing gogs and stopped at the same point, gogs would be in exactly the same
situation, facing the same problems. I did not continue packaging gogs because
the owner would not accept patches/requests to fix these problems.

Of course, this wouldn't be an issue for the gogs packages you (Piccoro) have
created because you are in no way concerned about DFSG, CVEs, or
reproducibility. (I say this after having looked at the packages you created.)


As things currently sit, the gitea package and subsequent dependencies have
been orphaned. My opinion is that gitea does not belong in the debian archives.
Gogs has proven to be a substantially lesser candidate.

In order for this bug to be resolved, someone will have to adopt the package.

-- 
Michael Lustfield

Bug#882090: (no subject)

[Michael Lustfield]

retitle 882090  RFP: node-yamljs -- JavaScript YAML 1.2 Parser & Encoder
thanks

I am no longer working on Gitea packaging and no longer have a need for this
package. However, the packaging is nearly ready for upload. If anyone wants to
take over - https://anonscm.debian.org/cgit/pkg-javascript/node-yamljs.git/

-- 
Michael Lustfield

Bug#871462: (no subject)

[Michael Lustfield]

retitle 871462  RFP: libjs-semanticui -- JS framework based around principles 
from natural language
tags 871462 + wontfix
close 871462
thanks

I am no longer working on Gitea packaging and no longer have a need for this 
package.

One would be wise to not attempt this ugly beast...
  https://wiki.debian.org/Javascript/Nodejs/Tasks/semantic-ui

-- 
Michael Lustfield

Bug#889495: O: libjs-dropzone - JavasScript library providing Dropzone

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889498: O: jquery-areyousure - jQuery plugin to alert users of unsaved changes

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889494: O: simplemde-markdown-editor - JavaScript library providing a simple Markdown editor

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889499: O: gitgraph.js - convert git log --graph to image with HTML5 canvas

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889496: O: libjs-cssrelpreload - JavaScript to load CSS asynchronously

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889497: O: libjs-autolink - JavaScript methods converting text to links

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889500: O: libjs-emojify - JavaScript library converting Emoji keywords to images

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889485: O: golang-gopkg-testfixtures.v2 - Rails-like test fixtures for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889484: O: golang-gopkg-gomail.v2 - simple and efficient package to send emails in Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889479: O: golang-github-gogits-go-gogs-client - Gogs API client in Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889482: O: golang-golang-x-sync - Supplemental Go synchronization libraries

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889480: O: golang-github-microcosm-cc-bluemonday - Go library for scrubbing user generated data of unapproved html

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889478: O: golang-github-blevesearch-bleve

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889481: O: golang-github-nbutton23-zxcvbn-go - Strong password generator in Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889291: O: golang-github-facebookgo-ensure - Provides utilities for testing to ensure conditions are met

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889292: O: golang-github-facebookgo-clock - Clock is a small Go library for mocking time

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889267: O: golang-code.gitea-sdk - SDK implementation to interact with the Gitea API

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889268: O: golang-code.gitea-git - Go module that provides git access through shell

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889265: golang-github-blevesearch-go-porterstemmer - Native Go implementation of the Porter Stemming algorithm

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889264: O: golang-github-blevesearch-segment - Go library for performing Unicode Text Segmentation

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889263: O: golang-github-bsm-pool - simple connection pool library for Golang

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889266: O: golang-github-alicebob-miniredis - Pure Go Redis server for Go unittests

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889260: O: golang-github-couchbase-moss - moss provides a fast key/value storage library for golang

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889261: O: golang-github-couchbase-ghistogram - simple int histogram for golang

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889262: O: golang-github-bsm-redeo - Framework for building redis-compatible TCP services

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889259: O: golang-github-cupcake-rdb - Redis RDB parser for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889258: O: golang-github-denisenkom-go-mssqldb - Microsoft SQL server driver written in go language

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889257: O: golang-github-edsrzf-mmap-go - portable mmap package for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889254: O: golang-github-facebookgo-httpdown - Gracefully shut down daemon without terminating connections

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889255: O: golang-github-facebookgo-grace - Graceful restart & zero downtime deploy for Go servers

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889256: O: golang-github-facebookgo-freeport - Go library to find a free TCP port for binding

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889248: O: golang-github-gogits-cron - Gogs cron library in Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889252: O: golang-github-facebookgo-stats - defines a lightweight interface for collecting statistics

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889249: O: golang-github-gogits-chardet - Charset detector library for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889247: O: golang-github-go-macaron-bindata - in-memory static and template files for Macaron

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889250: O: golang-github-glendc-gopher-json - simple JSON encoder/decoder for Gopher-Lua

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889251: O: golang-github-facebookgo-subset - Check if a value is a subset of another

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889242: O: golang-github-go-macaron-toolbox - health check, pprof, profile and statistic services for Macaron

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889241: O: golang-github-gopherjs-gopherjs - Go to Javascript compiler

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889246: O: golang-github-go-macaron-cache - Cache management middleware for Macaron

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889243: O: golang-github-go-macaron-i18n - Internationalization and Localization of Macaron

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889240: O: golang-github-gorilla-pat - request router and dispatcher with a pat-like interface

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889244: O: golang-github-go-macaron-csrf - generate and validate csrf tokens for Macaron

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889239: O: golang-github-gorilla-securecookie - provides authenticated and encrypted cookie values

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889245: O: golang-github-go-macaron-captcha - Captcha service for Macaron

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889237: O: golang-github-go-xorm-builder - SQL builder for XORM written in Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889238: O: golang-github-gorilla-sessions - save cookie and filesystem sessions and allow custom session backends

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889235: O: golang-github-issue9-identicon - generate an icon from identity information

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889236: O: golang-github-issue9-assert - Simple extension to test a series of assert functions

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889230: O: golang-github-leemcloughlin-gofarmhash - Implements Google's Farmhash in Golang

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889231: O: golang-github-kisielk-gotool - library of some utility functions provided by cmd/go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889228: O: golang-github-lunny-nodb - Nosql database with kv, list, hash, zset, bitmap, set

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889233: O: golang-github-joho-godotenv - Go port of Ruby's dotenv library

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889229: O: golang-github-lunny-log - Logging library with sqlite support for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889232: O: golang-github-juju-errors - Common juju errors and functions to annotate errors

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889234: O: golang-github-jaytaylor-html2text - Turns HTML into a plain-text equivalent

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889226: O: golang-github-mcuadros-go-version - version normalizer and comparison library for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889225: O: golang-github-mrjones-oauth - OAuth 1.0 Library for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889221: O: golang-github-neelance-astrewrite - Go tool to walk & rewrite AST

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889216: O: golang-github-ngaut-log - Provides a simple log wrapper for ngaut libraries

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889220: O: golang-github-neelance-sourcemap - Javascript source map reader and writer for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889219: O: golang-github-ngaut-deadline - deadline reader/writer

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889227: O: golang-github-markbates-goth - Multi-provider authentication for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889212: O: golang-github-pquerna-otp - Google Authenticator compatible one time passwords for Go

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889217: O: golang-github-ngaut-pools - provides pools for resources

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield

Bug#889215: O: golang-github-ngaut-sync2 - Additional synchronization primitives extracted from Vitess

[Michael Lustfield]

Package: wnpp
Severity: normal

This package was added to Debian as a dependency of Gitea. I am no longer
working on Gitea and no longer have a reason to continue maintaining the
dependencies.

-- 
Michael Lustfield