Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
On 06/22/2015 10:35 AM, Patrick Matthäi wrote: >>> This is the newer one: >>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 >> Which is, again, ignored. > > Which is another issue and not ignored, it is on my TODO list. There hasn't been a single comment from you regarding this issue in either of these two bug reports and the more recent one is close to a year old. Do you really think that people would assume from this situation that you are working on it? But, anyway, I won't be bothered to comment on this anymore. Dropping support for an ancient networking protocol stack is a no-brainer and with all the users complaining about it, you could have at least provided a comment that you're working on it if not already fixed it. Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Am 20.06.2015 um 11:49 schrieb John Paul Adrian Glaubitz: Which is my whole point. Then this is a bug in roaraudio / dnprogs, not cmus. No one denies that. However, the problem is that the ROAR people refuse to drop DECnet support and hence Ron asked in [1] to drop ROAR audio support. As James Cowgill already stated: it is not true that I declined it. The ROAR developers and maintainers refuse to do that which is why we should drop it from cmus. They, for some reason, think it's important to support a pre-historic networking protocol. I found this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 Which was closed with the message "Go away, I don't care." Where? Could you quote it from the report? Philipp changed a few things so that no one has to install the more dangerous dnet-common package and kindly asked if he could help him. This is the newer one: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 Which is, again, ignored. Which is another issue and not ignored, it is on my TODO list. -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Hi Adrian, On Sun, Jun 21, 2015 at 10:29:21AM +0200, John Paul Adrian Glaubitz wrote: > On 06/21/2015 02:31 AM, Jonas Smedegaard wrote: > >> Even just checking for the existence of dnet-common or similar > >> would probably be enough. > > > > As I understand it, these are the issues raised here: > > You understand incorrectly then. > > > a) libdnet is unmaintained and thus potentially dangerous to link > > against > > > > b) dnet-common commonly (or always by default?) cause whole system > > to hang > > *Not* dnet-common, _libdnet_, seriously, read what I wrote! > libdnet is just a wrapper. You are jumping to unconfirmed conclusions here. > > I disagree that any of above are bugs in cmus. > > Again, you are not reading what I wrote. Please leave the discussion > if you refuse to do so! Alessio Teglia, one of the cmus maintainers > himself said "Please file a bug report against cmus and ask for > libroar2 to be demoted from Recommends to Suggests". > The roar and pulse dependencies are now only installed per suggests. You will probably still get the unconfirmed bug if you use the --install-suggests switch for apt. As that will pullin the stuff. Maybe the proper way might have been to put them into seperate plugin binary packages like it is done for cmus-plugin-ffmpeg? If not then you will encounter the funny problem that cmus might not start anymore if you don't have libroar or libpulse installed. In my test it produced a considerable hang on the first launch while it tried to find a audio output. Btw. I could neither reproduce your bug on a debian jessie -> testing upgrade. You did a great job there. 1. Threatening with the Technical Commitee Sledgehammer against cmus 2. Possible usability problems for cmus 3. Doing nothing to fix or locate the original problem The propper course of action, regardless if dnprogs is unmaintained or not, would have been to debugg the problem. After that to clearly isolate the component inside roaraudio/dnet/cmus/whatever and then file a appropriate bug. If this would then be a request to drop the linkage or a bugfix against one of the componts doesn't matter. You could have simply opened a bugrequest against roaraudio to drop the decnet dependency and then if nothing happens consulted the TC. If you would have read the two bugrequests you have linked then you would find out that these were either already answered with a description and a note that dnet-common won't be a recommended dep anymore or that there are next to no informations at all. But neither are you fixing the problem at the right place nor is unclear if you are fixing it at all. What is if its a legitimate bug? Now others will stumble upon it and have to work it out themselves. While it could have been debugged without much invested time on your side. If this is how debian works nowdays I am unsure if i want to continue using it. Why do i even care? Sorry if you see it as insultive, but it seems to me that you fail to see reason and are just mindlessly focussed on getting rid of roaraudio via the wrong methods and actions. Thanks. > Fy fæn, Jonas. Les hva folk skrev før to du svarer eposten! > > Adrian > > -- > .''`. John Paul Adrian Glaubitz > : :' : Debian Developer - glaub...@debian.org > `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de > `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 Kind Regards, Stephan signature.asc Description: Digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/21/2015 02:44 AM, Jonas Smedegaard wrote: >> Jonas, do you actually read what I wrote? > > Yes. No, you don't, because you constantly say the bug report is not correct even though a) Alessio requested it and b) already tagged this bug as "pending" which means he already made the change. >> This very bug report exists because the maintainer of roaraudio >> refuses to handle any bug reports regarding this issue > > That is no excuse for barking up the wrong tree: The proper way to > escalate is to move the bugreport for the real issue to the > technical committee. There is no barking up the wrong tree if the one sitting on the tree asked me to. I don't even know why you jumped into this bug report with apparently not enough background information to join the discussion. Please don't paint me as an ignorant fool when you're the one who is constantly ignoring the facts. I'm really tired of such allegations, I don't deserve being treated like an idiot here for all the work I do in Debian. >> The sole reason for this bug report is to free cmus from broken >> and unwanted dependencies. > > ...and the sole relevancy to discuss in this bugreport is therefore > the bug reported. No. This bug report exists because Alessio asked for it because Patrick was asked several times and never responded. That's why the decision was made by several people - including Alessio - to drop libroar2 from Recommends to Suggests. > It seems there are disagreement if cmus is broken and if the > dependency is unwanted. There is no disagreement between the people in charge. There is just disagreement between the people in charge and bystanders who are apparently not correctly informed because they don't read mail. And since discussing this under these circumstances is futile and Alessio has made the change anyway, I will pull out of this discussion now. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhnf0AAoJEHQmOzf1tfkTtnwQAIua12zw+7unxpFZdT/l+PZw e3Gd/aR2QULnTKnMVyQxgUrQkS+CtyAjAS1oICM1HHvjh5VEz68xvfFN93yu2Hli 1AUj72Ro3+pXwPcYY8Q1YcDBOrqkgFSajtoi/4/FVgK9q8RZQIATorkOJUBWsZ8P h7OWy3WQ5o4xPQ54SfG/U2N61abU32TA045yI3vRfwSk9H5y9kIpyhC6E5236RdN DnOHJkRXUCHzuasKvQ+MenA29UXmz06FP0ob/wnMpkVONlfahSLSJd/T2wh5mQb1 w6JHcAiNPTzJ/hVOG+EySCkEO/D6ZCOYx8ADuDajlcCrfhRLO6HVY8fsSNHmmhY6 h7S5dqoP5R0cWPCWZYZMWFqxTUTUuRdoApiRa9f3slw+FqFQH3c0xd8juTyQ11WA SpHRi1xe0OS6rNNiIIcVPyzZobzTxBo86hg7CKfPFaQOEkqYj1+RRXY9q7s/VVt/ XcgZT75UjvKqwvWJbg1fHawez0VawWDvQ93BVBnD+0IQX7u4ta7ssIoE7rXsC5u6 cjnm+JrIRJraSeKcAIkGs3vn9PfRkqIwe22lxJXKy/4tMi98ghdXimZBZ7jNGQyv WqRnKpkYV3zTyBNnfQNfKL9XY0FJuCLD469/pntIBZCJZ8gigMLuOffg51ETJFNX IDSva4QYpUpR01vcFgWC =v9bO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/21/2015 02:31 AM, Jonas Smedegaard wrote: >> Even just checking for the existence of dnet-common or similar >> would probably be enough. > > As I understand it, these are the issues raised here: You understand incorrectly then. > a) libdnet is unmaintained and thus potentially dangerous to link > against > > b) dnet-common commonly (or always by default?) cause whole system > to hang *Not* dnet-common, _libdnet_, seriously, read what I wrote! > I disagree that any of above are bugs in cmus. Again, you are not reading what I wrote. Please leave the discussion if you refuse to do so! Alessio Teglia, one of the cmus maintainers himself said "Please file a bug report against cmus and ask for libroar2 to be demoted from Recommends to Suggests". Fy fæn, Jonas. Les hva folk skrev før to du svarer eposten! Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhnXhAAoJEHQmOzf1tfkTzrgP/R7g/iExaetW+ERX6ciKWmCA 5UcsgGBIRqdYiweQ92KvXoAJjCj4RdnkaibGf/Pu9PmNOIaPgYvAaokfYioUtmq4 ctklcoqUADTjO5Kpx6hTaZYIVtfcTMfC+34kZAVcXDFo+7MBcLQ9fwv/M+MMxpP9 EqAq0OGn1+EnBs6eaQJmaA3clNRI18pntl6L9um5MJ5H6OIwTasdOGNeFI+0RQ6V 2S82O2HmkQUxrNu7G9rkF/jGSBciHOCb9HQBvmNKi70Pk34tew52DallgtNDyK97 a781ez7iKHf9Zgs3q2C3rwIxWWPaeRvGA2uj+PP+e2VuWuPAh1Y8CBCMkstyzKV4 0egyMNQCrJXxK6X+1IHTh5IgqUd8NVzdloCNcrDBaW8S7UD11h8tPW0xNIuDvJ/4 PeUyv5rKpy98AdR9oywdzHe/b/vnujYKqwdVmpDWRscePYHKZKph98Mzh7OX81Rk 4yRtcp0hZRCslpJUuInJYl6Ai0fTsUgBXOvta2WnFE84fHOCmpDDomZLVwg5R5ji FkyWydO8QbgzP7XSrlK9f9uh1wh1rQVHgZkFIkc/U/SDiuyYNxwPe6+kMwkOg/HW pGIVnA92WsONW61AMj3uTXx3y7+hVvoykrm7TRyhPEh/aLhkOUgkAD2U1Zs1a2HZ frDyVUPWxnNVYzjBnNIF =uXlC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/21/2015 02:36 AM, Jonas Smedegaard wrote: > Quoting John Paul Adrian Glaubitz (2015-06-20 15:16:28) >> You are still trying to boil this down to the mere problem with >> cmus, > > This bugreport is filed against cmus, is it not? This is correct. Upon the request of the maintainer of cmus who already prepared an upload which is why the bug is set to "pending". >> but that's just a side effect. The real point is that roaraudio >> depends on an unmaintained piece of core software which Debian >> would like to get rid of. > > Then please reassign and retitle the bugreport to discuss the real > issue where it belongs. No, we won't, because: a) Alessio asked for this bug report b) Patrick Matthei refuses to make any changes to libroar2 to help fix this problem c) You apparently continue to refuse to read what people write to explain the situation Thanks, Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhnZVAAoJEHQmOzf1tfkTno8P/jF985wsP8axAb03BEVLZsfl 9F8R7Q+C6EJDtRXRvl2oauGyqC7sB4ci9yqFpGb5E+dkMnNqNRfZv0qiJaxqqul+ iW9KpJqHK/1Kfd+LphWPMl7UfFORDmmoNU9t7Af89s+WwLnf7nlKRI/m9JRBSBCH Tt16iHYRnwFSlNWSI1oBFh2MHUdXkB6TwYL+NxCRQZcTvdn+v8cCZugAGNBNwxn9 4SU/KJPePET3I6GECed+tTnBBEDsd57Dos8eL/TTcs0G5DgUPSi8mXUKecfCIanq yOkuU60eUfOFte3mmvOtwu5DDx1bdZc8+u+Z0zep8dLfFAMq+iYO6ShpVu0He1IF sDop02C0D90DppJpA6c2UA/+/dlIhPnuR6nOMejej8iNNhGlgq/DYq0zuIkaYvhg AOHFIlO2n1N8GNY8bSWdura14E8ltpuESd9uXeIXcjEz2R4Kop9OvOqC3OEaiYSz gPUus8W0rnwRkpzEtVC3zNmdKuGJhK4L1oNLHM34w0F7WaWwKqKo1Ky99B15+I3I qSFs6sqOGnLjSlo6McFYUPBNuQYk48kiB8OMsNoG6rRZZ4Xw3JWYIxwIoKMRhmWi VHycyTfOLbNEbZ0muQsSMdu9IEXpg8gJ1MtfjVyBhAMERjlXJce3Elbe0c/LRuCz O+S9jh+kmhNuZYqek6j4 =YEkB -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
On Sat, Jun 20, 2015 at 07:31:50PM -0500, Jonas Smedegaard wrote: > Quoting Don Armstrong (2015-06-20 14:38:25) > > There's clearly a bug here, but even after reading this bug log, I've > > had to do research on my own to determine what that issue is. > > > > If the libroar2 maintainers which to keep decnet support, then someone > > should probably figure out how to circumvent waiting for the DECnet to > > settle when it isn't actually configured, and propose a patch to do > > that. > > > > Even just checking for the existence of dnet-common or similar would > > probably be enough. > > As I understand it, these are the issues raised here: > > a) libdnet is unmaintained and thus potentially dangerous to link > against > > b) dnet-common commonly (or always by default?) cause whole system to > hang > > I disagree that any of above are bugs in cmus. The bit where you and Adrian appear to be talking past each other is: c) cmus Recommends roar. (which it didn't in the Wheezy release) So anyone installing cmus on a default system (or upgrading from Wheezy) gets pulled into this. Demoting that to (at least) Suggests was discussed before this bug was opened (in a thread that unfortunately didn't hit the BTS since it was CC'd to an archived bug when Adrian reported it). Alessio already acknowledged that would be a good idea and suggested that Adrian open this bug to discuss whether even the Suggests was still appropriate if installing that suggestion had the same outcome. To quote Alessio replying to Adrian on that: > I acknowledge your request, it seems legit to me to demote libroar2 > from Recommends to Suggests. > Could you please file a bug and set its severity to "important"? > Furthermore, since I have removed 680...@bugs.debian.org from the CC: > field as the bug is archived and no longer accepts mails, It would be > great if you could attach our discussion to the report for future > reference. [1] and his earlier reply re DECNet to Stephan: > > While it might not be a common feature, it is a feature none the less. > > One that relies on functionalities provided by a factually dead > software; please get rid of it. > Meanwhile I'll be demoting cmus's libroar dependency from Recommends > to Suggests. If roaraudio's maintainers do not show willingness to > cooperate, then we'll hand this to the TC and see. I don't have a dog in this race, beyond being CC'd to request some background clarification in the initial thread, and hoping you all get on the same page about it soon so it will stop filling my inbox. I don't particularly care what you choose to do, but "roar pulls in DECNet -> DECNet breaks people's existing systems" is hardly a new problem. People mostly just had a brief respite from it, since for Wheezy packages that people did actually want stopped pulling in roar ... Now that problem is back. The solutions are all pretty easy, you just need to pick one. "Ignoring it" isn't really in the solution set though, so please do pick one some way or another :) hth, Ron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 13:50:28) > On 06/20/2015 08:42 PM, Jonas Smedegaard wrote: >> Please file bugreports regarding security flaws of DECnet packages >> against those DECnet packages, *not* their reverse dependencies! > > Jonas, do you actually read what I wrote? Yes. > This very bug report exists because the maintainer of roaraudio > refuses to handle any bug reports regarding this issue That is no excuse for barking up the wrong tree: The proper way to escalate is to move the bugreport for the real issue to the technical committee. > The sole reason for this bug report is to free cmus from broken and > unwanted dependencies. ...and the sole relevancy to discuss in this bugreport is therefore the bug reported. It seems there are disagreement if cmus is broken and if the dependency is unwanted. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 15:16:28) > You are still trying to boil this down to the mere problem with cmus, This bugreport is filed against cmus, is it not? > but that's just a side effect. The real point is that roaraudio > depends on an unmaintained piece of core software which Debian would > like to get rid of. Then please reassign and retitle the bugreport to discuss the real issue where it belongs. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting Don Armstrong (2015-06-20 14:38:25) > There's clearly a bug here, but even after reading this bug log, I've > had to do research on my own to determine what that issue is. > > If the libroar2 maintainers which to keep decnet support, then someone > should probably figure out how to circumvent waiting for the DECnet to > settle when it isn't actually configured, and propose a patch to do > that. > > Even just checking for the existence of dnet-common or similar would > probably be enough. As I understand it, these are the issues raised here: a) libdnet is unmaintained and thus potentially dangerous to link against b) dnet-common commonly (or always by default?) cause whole system to hang I disagree that any of above are bugs in cmus. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Hi Adrian, On Sat, Jun 20, 2015 at 10:16:28PM +0200, John Paul Adrian Glaubitz wrote: > On 06/20/2015 09:52 PM, Stephan Jauernick wrote: > > Please do for the reasons mentioned below. Also these are > > considered standard of a good bug report. > > No, the problem is apparent and I don't really want to debug libdnet. > > You are still trying to boil this down to the mere problem with cmus, > but that's just a side effect. The real point is that roaraudio depends > on an unmaintained piece of core software which Debian would like > to get rid of. It doesn't really matter if you're able to fix this > bug now as this won't change anything about the unmaintained status > of dnet-progs. > > So, please refrain from continuing the focus on this particular problem > with cmus, this is not the main issue, it's just the trigger that > brought me to the attention of this problem. I won't be bothered to > continue the discussion anymore if your only concern is this particular > problem with cmus but just eventually hand over the issue to the TC. > I am only a user who wants to help. While it is not even clear if it is in dnet you seem to be quite obsessed with it. So far from your previous mails i can only do a wild guess that it is somewhere in the cmus roar plugin/roaraudio complex. I never used decnet myself and probably won't. Also I myself don't particularily care about decnet. Additionally I am not the maintainer of either project but just someone who wants to help. If you point out a valid bug in decnet... I think nobody will object to dropping it. Also you are free to ask Patrick to drop the libdnet from roaraudio. I am trying to find out where the bug is located so we finally can contact the right upstream and work on a fix. > > I only get the decnet warning and then cmus starts up with about 5 > > seconds delay on the first start and from then on instantly. > > Which is _exactly_ the problem. It just appears that for some network > configurations it seems to get stuck forever. It seems that it affects > static network configurations. But again, it's not just this issue > but the fact that dnet-prog is unmaintained, both upstream and in > Debian and normally packages in such state - where it's apparent > that no one is going to pick it up anywhere soon - are to be removed > from Debian. > Then please make a bugreport against dnprogs, asking for it to be dropped from debian. We only know(as stated above i only can guess that much) that this bug occours on some configurations(which are currently unamed; for me it works on a virtualbox/with dhcp) and somewhere in the roaraudio/cmus plugin. It is not even clear if it is inside of libdnet. You could recompile roaraudio and the cmus roar without dnet and check if you still get the same behaviour. I would be happy to provide the debugging myself but i can't reproduce the bug. You could start giving us a meaningfull starting point for debugging the issue remotely. Ofcourse you can progress with trying to get Patrick or the TC to drop the dnet dependency. This might or might not solve the actual problem. In the event it does: Good job. You fixed a bug without propper debugging. In the event it doesn't: Good job. We can now finally start with bughunting! > I mean, are you going to adopt the DECnet-related packages? No. I am not going to do this. Reasons are stated above. > > Adrian > > -- > .''`. John Paul Adrian Glaubitz > : :' : Debian Developer - glaub...@debian.org > `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de > `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 Kind Regards, Stephan signature.asc Description: Digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 09:52 PM, Stephan Jauernick wrote: > Please do for the reasons mentioned below. Also these are > considered standard of a good bug report. No, the problem is apparent and I don't really want to debug libdnet. You are still trying to boil this down to the mere problem with cmus, but that's just a side effect. The real point is that roaraudio depends on an unmaintained piece of core software which Debian would like to get rid of. It doesn't really matter if you're able to fix this bug now as this won't change anything about the unmaintained status of dnet-progs. So, please refrain from continuing the focus on this particular problem with cmus, this is not the main issue, it's just the trigger that brought me to the attention of this problem. I won't be bothered to continue the discussion anymore if your only concern is this particular problem with cmus but just eventually hand over the issue to the TC. > I only get the decnet warning and then cmus starts up with about 5 > seconds delay on the first start and from then on instantly. Which is _exactly_ the problem. It just appears that for some network configurations it seems to get stuck forever. It seems that it affects static network configurations. But again, it's not just this issue but the fact that dnet-prog is unmaintained, both upstream and in Debian and normally packages in such state - where it's apparent that no one is going to pick it up anywhere soon - are to be removed from Debian. I mean, are you going to adopt the DECnet-related packages? Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhcocAAoJEHQmOzf1tfkTPYwP/1ib6p22dw88EqbudBgYbJyl fL44WBfhXQDMVlhlbI9mNWWuyXytdnY8ZbizL1GDBJsP6AHQIPmQ1D7oaZYkP8HW dpkIdjcBiaPMdGJftptdj+81b6iCZsTBqs2rx3cN431b9rGZf8GHf6JDpg/7qkD8 qnGz8wT2eNfXZTGpYvYrLCzO0kIiDP3ZMv043SC7bAJqZuC/NnE3HFF+7iPVwihT Fxvt0FsNwctmceehzksu3tKUE8NoOwVf6UQqKfKNbVMAB29X8js45h4Ac4DrFGAA mxHhRzWAPPiA+cRjTom6KyqRLzq4pgt+rJhOg1CbaKpSMRvf0zYAipliwVLOeA2s //2tfF30JwCIK8gDCVkbtIYltpKRe7e4QBnMQfSM4AdW2SFZW3Bp8DbqLw2y3Pha bVnqrByJU9oCHGXYeerIaulNEQnefzswCDk2Jr3w0hLAQzgTNj1ZNH3olagwpOSb /9Klv+aiHOd9DmJ8GZVxFIzI+7KNAGeOjsLgzcExbhn5LLcjqf7JoHZNqOkqKKg1 zW9UqoX6KMCebIVuIN4adMN0vvvYk6cYzs7hCPGHqxRWJm3El4ZUCM3Y4PLTm+hH xvE9j3HsTuDTzhUR6z4YMtuuibAiYLNffERtMb6r3OXbCpLkhOuXm1aD+iIuDnkq OdpuTAplp6K1nESqTPpy =0Kbb -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Hi Adrian, On Sat, Jun 20, 2015 at 07:34:25PM +0200, John Paul Adrian Glaubitz wrote: > On 06/20/2015 01:03 PM, Stephan Jauernick wrote: > > Thanks for pointing that out. I was mistaken there. Sorry :( > > No worries, I don't think we disagree about the problem in general. > > > Can you maybe still provide a backtrace/strace log? > Please do for the reasons mentioned below. Also these are considered standard of a good bug report. > This isn't really necessary as this isn't cmus crashing, it's cmus > getting stuck because it's apparently waiting for the DECnet stack > to become ready. > > I can't imagine that you cannot reproduce this on a clean install, > I could reproduce it on all machines running at least Jessie. > I can't even reproduct it on unstable. I only get the decnet warning and then cmus starts up with about 5 seconds delay on the first start and from then on instantly. My steps to reproduce in all 3 Debian versions: 1. Install a fresh VM from Netinst in VirtualBox 2. Accept the defaults for Desktop and additionally select SSH Server 3. Install cmus as root 4. Change back to a normal user 5. run cmus 6. 7. quit it again > > Also are you running Debian 8 or Debian 9? > > I'm running unstable. But this problem is reproducible on Jessie > and Stretch as well. After all, it were users at the department > where I work who complained that cmus stopped working after > upgrading to Jessie. There were no issues on Wheezy as the cmus > version there was compiled without ROAR support. > Thanks thats another thing i will test. Can you maybe give us a list of installed packages? I will assume that these are desktop machines which where used for some time before upgrading. Unless you can assure me these are fresh installs before updates, we can only assume that there are other packages installed which interfere. I am currently upgrading my fresh debian 8 vm fron yesterday to debian unstable. I will write back when its done and I got to test that. Also does it just hang or will cmus start after some time? > Adrian > > -- > .''`. John Paul Adrian Glaubitz > : :' : Debian Developer - glaub...@debian.org > `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de > `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 Kind Regards, Stephan signature.asc Description: Digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
On Sat, 20 Jun 2015 20:46:17 +0200 John Paul Adrian Glaubitz wrote: > >> Currently cmus is definitely getting stuck on a _fresh_ install, > >> simply by installing with "apt-get install cmus". > > > > On those systems where you experience cmus being stuck, is the > > package "dnet-common" also installed (or was it ever)? > I cannot reproduce this in a clean sid chroot: Can you please describe how you get your quoted behaviour? root@edoras:/home/tobi# LANG=C apt-get install cmus Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: cmus-plugin-ffmpeg i965-va-driver libao-common libao4 libasound2 libasyncns0 libavcodec56 libavformat56 libavresample2 libavutil54 libcddb2 libcdio-cdda1 libcdio13 libcue1 libdnet libdrm-intel1 libdrm-nouveau2 libdrm-radeon1 libdrm2 libelf1 libfaad2 libflac8 libgl1-mesa-dri libgl1-mesa-glx libglapi-mesa libgsm1 libice6 libjson-c2 libllvm3.5 libmad0 libmodplug1 libmp3lame0 libmpcdec6 libnuma1 libogg0 libopenjpeg5 libopus0 liborc-0.4-0 libpciaccess0 libpulse0 libroar2 libschroedinger-1.0-0 libslp1 libsm6 libsndfile1 libspeex1 libspeexdsp1 libtheora0 libtxc-dxtn-s2tc0 libva1 libvdpau1 libvorbis0a libvorbisenc2 libvorbisfile3 libvpx2 libwavpack1 libx11-6 libx11-xcb1 libx264-146 libx265-59 libxau6 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-sync1 libxcb1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxi6 libxshmfence1 libxtst6 libxvidcore4 libxxf86vm1 va-driver-all vdpau-va-driver Suggested packages: libaudio2 libesd0 libesd-alsa0 libasound2-plugins dnet-common opus-tools pciutils pulseaudio libroar-plugins-universal roaraudio-server libmuroar0 slpd socat openslp-doc speex nvidia-vdpau-driver vdpau-driver libx265-59-dbg xvba-va-driver The following NEW packages will be installed: cmus cmus-plugin-ffmpeg i965-va-driver libao-common libao4 libasound2 libasyncns0 libavcodec56 libavformat56 libavresample2 libavutil54 libcddb2 libcdio-cdda1 libcdio13 libcue1 libdnet libdrm-intel1 libdrm-nouveau2 libdrm-radeon1 libdrm2 libelf1 libfaad2 libflac8 libgl1-mesa-dri libgl1-mesa-glx libglapi-mesa libgsm1 libice6 libjson-c2 libllvm3.5 libmad0 libmodplug1 libmp3lame0 libmpcdec6 libnuma1 libogg0 libopenjpeg5 libopus0 liborc-0.4-0 libpciaccess0 libpulse0 libroar2 libschroedinger-1.0-0 libslp1 libsm6 libsndfile1 libspeex1 libspeexdsp1 libtheora0 libtxc-dxtn-s2tc0 libva1 libvdpau1 libvorbis0a libvorbisenc2 libvorbisfile3 libvpx2 libwavpack1 libx11-6 libx11-xcb1 libx264-146 libx265-59 libxau6 libxcb-dri2-0 libxcb-dri3-0 libxcb-glx0 libxcb-present0 libxcb-sync1 libxcb1 libxdamage1 libxdmcp6 libxext6 libxfixes3 libxi6 libxshmfence1 libxtst6 libxvidcore4 libxxf86vm1 va-driver-all vdpau-va-driver 0 upgraded, 79 newly installed, 0 to remove and 0 not upgraded. LANG=C dpkg -l cmus dnet-common libroar2 Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version ArchitectureDescription +++-=-===-===- ii cmus 2.5.0-7+b1 amd64 lightweight ncurses audio player un dnet-common (no description available) ii libroar2 1.0~beta11-1amd64 foundation libraries for the RoarAudio sound ser root@edoras:/home/tobi# su - tobi tobi@edoras:~$ cmus (cmus interface starts up apperantly fine) -- tobi signature.asc Description: This is a digitally signed message part
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
On Sat, 20 Jun 2015, Patrick Matthäi wrote: > Am 20.06.2015 um 19:51 schrieb John Paul Adrian Glaubitz: > ld the release back because of such ancient > >>> software? > > > >> OK, so lets drop iceweasel? This is definitly offtopic here > > > > No, we dropped sparc as a release architecture as a result > > in case you missed that. > > Because of roaraudio? Oh no? Ok this is a realy related issue here... X > affected Y and Z was the result, so roaraudio is affected. Please > discuss this with the iceweasel team if you have got enough free time. Can we please stick with discussing the technical details of this issue instead of attacking eachother? There's clearly a bug here, but even after reading this bug log, I've had to do research on my own to determine what that issue is. If the libroar2 maintainers which to keep decnet support, then someone should probably figure out how to circumvent waiting for the DECnet to settle when it isn't actually configured, and propose a patch to do that. Even just checking for the existence of dnet-common or similar would probably be enough. -- Don Armstrong http://www.donarmstrong.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 08:42 PM, Jonas Smedegaard wrote: > Please file bugreports regarding security flaws of DECnet packages > against those DECnet packages, *not* their reverse dependencies! Jonas, do you actually read what I wrote? This very bug report exists because the maintainer of roaraudio refuses to handle any bug reports regarding this issue - heck, he even claims that libroar2 does not depend on libdnet which is, of course, incorrect - and the maintainer for any of the DECnet stuff doesn't exist anymore, both in Debian and upstream. The sole reason for this bug report is to free cmus from broken and unwanted dependencies. I am fully aware that the transitive dependency on libdnet is to be blamed on roaraudio but as you have seen, it's absolutely pointless to talk to its maintainer about the subject. He ignores bug reports and refuses to accept the dependency exists in the first place. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhbX0AAoJEHQmOzf1tfkTywYP/0YTJgOX3db6RjZ1SO8fHIfQ 6H3qEKjblWx7Ku1vO3TuwU/WEJYL8qlr4IBTamURvFV73Od3ByXGq5u184w5g0fC qH+taEVOs6trUYLOstpaSJVxlL10mZPV0a/7x1tJt28Vplagftvkv3VMZQdSDgVh LjLi8UpqUvQ4Gs0UjF1C829eBanq0NqidsSKX5nilp1F2wuyYXxaBhJNCUCxu+Yn OkR7AFOg3RWrZNGznx5gHmZ3XSErjED3/G22txmIq4oU4FUFI7tvikeGpelSEfOp dYZCaVJgLyYkKeCqbtrdVM6srDFf6MB6Y9DFEApGvSVMOq+uSaOLe28WTRCSyar9 QDCcF6s63gn+L+Wr/2yeLy23mqpCeT/A5NThAKfeCvBGeexa9tpuqcO20NeeYUgD w7N02pNO9dXhB5v+1TRC76PtaumePa8aFfxPWHxvjHx7NynKvRW1KKftF91Njf2O yNhajrRm0vLIfxPOXTHqGcRHPY/+xaDYswsrtLpV446GkoH9j8I5hsnQYWA9tVxG H7PjWG4dxsCh1A3aAiXB9MYDcSo8DDj2PRx9eXhzVdNriAwJX7Ql2jqCH9or8BmL UPBCtw6lDpErpdnl3CuKjEqMyV7TjxnI+JHnIj8/E2a6lDlUkHPaIyovCPXAH5UE 9xtsLlc3A7A5aszaYOwB =Kpdg -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 08:25 PM, Jonas Smedegaard wrote: >> glaubitz@ikarus:~$ apt-cache depends cmus | grep libroar2 >> Recommends: libroar2 glaubitz@ikarus:~$ > > I agree that cmus pulls in libroar2. Why is that dangerous? Because libroar _depends_ on libdnet which is an unwanted dependency for most users for one: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 > https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027 And libdnet breaks cmus on some configurations as I have explained now several times. >> My elaborations regarding "--with-suggests" were regarding the >> case that Alessio would drop libroar2 from Recommends to >> Suggests. > > If you mean to say that "--with-suggests" is irrelevant to discuss > here, then I agree: Use of special package install options should > be irrelevant when dicussing whether cmus is dangerously broken or > not. > > If you mean something else then please elaborate. No, I'm sorry. You misread what I wrote. Really, read my first message in this bug report. >> Currently cmus is definitely getting stuck on a _fresh_ install, >> simply by installing with "apt-get install cmus". > > On those systems where you experience cmus being stuck, is the > package "dnet-common" also installed (or was it ever)? No. I never claimed that. > If so, you will need to figure out how that got installed, and I am > quite certain the cause is *not* cmus and therefore this bugreport > against cmus is bogus. It isn't bogus because, as several people have explained several times, the maintainer of roaraudio refuses to drop DECnet support. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhbT5AAoJEHQmOzf1tfkTfXoP/RYcW0SdV2rtCoXTt+eCWD4B 80Bp4i7rX+oNXod6CiGX5gsF9d9inLTH0Mpbk9kgc1LOG6VWESHJ+M6cPyvQBGjU d8oRcpqi7tuTfzlc4Fv1POyj8EZRDvWFZAznh/GZyC70Cv28elZupz4MDPlKVlMs lWxshWYyrp9K+Kbty8WjloWvmqtHLE6YR3/akkTYbWlVPW7rMBPtFwcx2C5KE2f0 dyfz27iAUBEyTitWIc6yndU1EFlWCRYk4Y74zxU19R2rt7cICMoTY0E3F3iYgrl0 NTq0Bq+oEvR56ipoTqUYw9in9DoZeJKvUeoSITXIBxsv7U7nIQP+WdMfI8VApdEV NkE0HlQqk4TGjievFtnBbWDpan9hHMQCP4rx6FMgN2TcGm4PpbSJnvy58jQ7K5Fg AabE7wxuWL0ZeqneogPx0vFBLolOEQg2bBjW5pFzWh0nb/bTqwPk+Pev7Eit2IQv /WHLNUF1xQp+0s4klCaoBew+0h4HTbCKwxp7MPGvEb7kC1iikME/sY8rL3wiau4R Z6Kvkj0aAMz8J1l+AcTXV5YP+mc6cLd/e4Rjg9DvT1Bian6TmVE3JFvr1OQQeTY5 p/0UTsi+w21wX7cxyG6nqv67znriIq2oIzzwOQ1Q2tAd5CJS5wUuVWZDk7sgDPS4 H7ofH26Jxg5Cl1ErBorf =FRG2 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 12:56:56) > On 06/20/2015 07:51 PM, Jonas Smedegaard wrote: >>> Installing cmus on a newly installed system will therefore install >>> libdnet as a transitive dependency >> >> Agreed cmus pulls in the _library_ for dnet. > > Which is unmaintained upstream and in Debian, see: > >> https://packages.qa.debian.org/d/dnprogs.html > > I think we can agree that is preferable not to have network stacks in > Debian which are no longer actively maintained as they pose a possible > security risk. I think we can both agree that using cmus imposes a higher security risk than using a simpler music player with fewer dependencies and thus fewer overall lines of code potentially containing flaws. Please file bugreports regarding security flaws of DECnet packages against those DECnet packages, *not* their reverse dependencies! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 13:00:53) > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 06/20/2015 07:56 PM, Jonas Smedegaard wrote: >>> I can't imagine that you cannot reproduce this on a clean >>> install, I could reproduce it on all machines running at least >>> Jessie. >> >> Please provide the command to reproduce _without_ --with-suggests >> option enabled! > > Jonas, I think you need to re-read what I wrote. Currently libroar2 is > a Recommends and _not_ a Suggests: > > glaubitz@ikarus:~$ apt-cache depends cmus | grep libroar2 > Recommends: libroar2 > glaubitz@ikarus:~$ I agree that cmus pulls in libroar2. Why is that dangerous? > My elaborations regarding "--with-suggests" were regarding the case > that Alessio would drop libroar2 from Recommends to Suggests. If you mean to say that "--with-suggests" is irrelevant to discuss here, then I agree: Use of special package install options should be irrelevant when dicussing whether cmus is dangerously broken or not. If you mean something else then please elaborate. > Currently cmus is definitely getting stuck on a _fresh_ install, simply > by installing with "apt-get install cmus". On those systems where you experience cmus being stuck, is the package "dnet-common" also installed (or was it ever)? If so, you will need to figure out how that got installed, and I am quite certain the cause is *not* cmus and therefore this bugreport against cmus is bogus. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Am 20.06.2015 um 19:51 schrieb John Paul Adrian Glaubitz: ld the release back because of such ancient >>> software? > >> OK, so lets drop iceweasel? This is definitly offtopic here > > No, we dropped sparc as a release architecture as a result > in case you missed that. Because of roaraudio? Oh no? Ok this is a realy related issue here... X affected Y and Z was the result, so roaraudio is affected. Please discuss this with the iceweasel team if you have got enough free time. > >>> They introduced automatic removal of packages affected by RC bugs >>> for this very reason and the fact that DECnet is no longer >>> maintained means that ROAR is permanently at risk being affected >>> by RC bugs unless you think you can fix vulnerabilities or other >>> serious bug in an ancient networking stack. > >> Lets drop package XYZ: it may have got issues we didn't discovered, >> yet.. > > No, let's drop package XYZ which _no_one_ maintains both upstream > and downstream. It's absolutely a common practice in Debian > and happens all the time. > > Here are some examples: > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=206866 >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=288112 >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=179392 >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=182434 You are just quoting mostly invalid closed reports which are as old as I am :D And it is not my package, just FYI > > I'm sorry Patrick, but I am starting to have doubts that you > know how to do a proper job as a maintainer. You apparently > don't read bug reports (as shown above), you don't know the > details about your *own* packages (you claimed that libdnet > is not a dependency which is simply untrue) and you apparently > have never heard that Debian does, in fact, remove packages > that are either buggy or no longer in active upstream > development. You are open to post to d-d@l.d.o something like "pmatthaei is not able to do Debian work". I will make your life a bit easier and CC'ing d-d now.. It makes no sense but it seems like this is the best way to follow an issue to it's own . > > We may really need to forward this to the technical committee > and ask them to make a decision over the removal of the > DECnet dependencies in ROAR as you are apparently completely > out of touch with reality. Please, do it. But *again*: IMMEADITLY STOP(!) adding/quoting/responding me for stuff where I never were responsible for! And also for things like who is my "buddy" or not, especially if they do not know the person at all.. I am just doing my Debian Developer work, also for the roaraudio packages, but it looks again like you and Ron just want to fool.. .. .. . -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ signature.asc Description: OpenPGP digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Am 20.06.2015 um 19:28 schrieb John Paul Adrian Glaubitz: > On 06/20/2015 06:56 PM, Patrick Matthäi wrote: >>> I can't say what's right or best for cmus, but what is right for >>> Debian seems fairly self evident to everyone but the roar >>> maintainers. > >> There is no depenedencie of *roar* to dnet at all. > > Excuse me? > > glaubitz@ikarus:~$ apt-cache depends libroar2 |grep dnet > Depends: libdnet > glaubitz@ikarus:~$ dnet-common to be exactly now. libdnet is not problematic at all > >> Sorry Ron, but you are realy the last person who is responsible to >> discuss about topic at all. Same topic as with mumble/celt... > > Well, he's right and I am pretty sure that all these bug reports > with requests to drop DECnet support by various users agree: > >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 It is a packaging issue of roaraudio. Nothin decnet related. >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 This is fixed since years >> https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027 >This is Ubuntu, not Debian. And in Debian there is no depedencie on libdnet-common. > > Patrick, why are you so incredibly stubborn and refuse to accept > that no one wants to have DECnet packages installed on their > system when they want to use ROAR or cmus? John... There is just a depends on a library pushing not more than yet another lib on the system. Why? Because roaraudio is using some functions of it. Where is the problem? Nowhere. So John. What is *your* problem? I am not "stubbhorn" about this "issue". It just looks like you made it to your religion to argue against it at all without any arguments. You argue with release critical bugs which do not exist etc etc.. Please use your free time to do something more innovative, like planting a tree.. But never again add me to a troll discussion just because Ron wants so. -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ signature.asc Description: OpenPGP digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 07:56 PM, Jonas Smedegaard wrote: >> I can't imagine that you cannot reproduce this on a clean >> install, I could reproduce it on all machines running at least >> Jessie. > > Please provide the command to reproduce _without_ --with-suggests > option enabled! Jonas, I think you need to re-read what I wrote. Currently libroar2 is a Recommends and _not_ a Suggests: glaubitz@ikarus:~$ apt-cache depends cmus | grep libroar2 Recommends: libroar2 glaubitz@ikarus:~$ My elaborations regarding "--with-suggests" were regarding the case that Alessio would drop libroar2 from Recommends to Suggests. Currently cmus is definitely getting stuck on a _fresh_ install, simply by installing with "apt-get install cmus". Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhapVAAoJEHQmOzf1tfkTwUoP/3hSKp9hFYubdqUtE4o24hU4 NtGYrYIYf77tYR0a8/TrvBvd2vcATlaBhICJzWmLI3q2ptOuCKzfvJsJHFj33s6M UcMD8itnjfQGMLEhP6vmc/ucAQyWGiqaraChE7y6KMQ9GGPgHhWoGTXFFZ2hYSsL l6uGhP7EAt0PP7MZUN7h3QqciLEtnb+Bc/awzvTFK8lefjQ9I8E2i0cyNhw5Nw0z NGg57saH+LBYh8HnIcp6W4n5QTIU9HqZursR2rBFzlQ3OueebdnKKQrUSNF3oTTu OcvrcaCBpZGgIhOt8KnjsLJFKSjVmhScrNeHR/hwkzpxcPQaC7jSTzdqQkSWN35e TI4JecsYoB2nsScLPtdXFNytPhqi/B9HfykMvmthNhFqK4BnGdmwv8uDYi2lbtU/ nTkKFAztZZlVDU/Voiy2gqWKjZnHciGr7yl1VU+V6RT7D7cSfmD+wvGX0Nr1TUTu 7biHDxy4lINm+PJjejWFnYBwoEsUhe8Kn78IMaq5CZVsN5HQzwZAfCDLwzcRZSIk hLBPH9bJIqFmczebSH4/XGx+47oLagkC9hvQdh0AdRu9qGxCjT/DT46Cr5c039Xu Q92jtn2Th/xYb9fR2rRwlDLj8GHbmWTaeB1pYibrtHuBcFAqND16KWrpya2iF8/6 WxAvx4lhYnVrryielSjQ =fJqp -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 12:34:25) > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 06/20/2015 01:03 PM, Stephan Jauernick wrote: > > Thanks for pointing that out. I was mistaken there. Sorry :( > > No worries, I don't think we disagree about the problem in general. > > > Can you maybe still provide a backtrace/strace log? > > This isn't really necessary as this isn't cmus crashing, it's cmus > getting stuck because it's apparently waiting for the DECnet stack > to become ready. > > I can't imagine that you cannot reproduce this on a clean install, > I could reproduce it on all machines running at least Jessie. Please provide the command to reproduce _without_ --with-suggests option enabled! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 07:51 PM, Jonas Smedegaard wrote: >> Installing cmus on a newly installed system will therefore >> install libdnet as a transitive dependency > > Agreed cmus pulls in the _library_ for dnet. Which is unmaintained upstream and in Debian, see: > https://packages.qa.debian.org/d/dnprogs.html I think we can agree that is preferable not to have network stacks in Debian which are no longer actively maintained as they pose a possible security risk. >> and will result in cmus getting stuck directly after start as I >> have reported earlier in the first message in this bug report >> [1]. > > The first message for this bugreport talks about --with-suggests. > > Can you please clarify how cmus causes beakage rather than the use > of --with-suggests. As you can see by the various bug reports, most people don't want cmus or ROAR to install DECnet libraries on their machines under any circumstances: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 > https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027 I really don't understand what keeps Patrick from dropping DECnet support. I can't seriously imagine that anyone still uses it. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhaloAAoJEHQmOzf1tfkTn3EP+wd7wm18j/zu5hIkHTaIVel+ aRBrPmx2gBTOzw7auaIQl0vdP/hKQXmrZOrKQ1rGi7AKoqyftb8dQAjDR/O66VTe iuAljvAKadiT3ClRJXVZDIGeCXJB2BG1xU07DpiNzMmrVx7PZIXkZslPujn86Ydz PKjwk6X1kdXljHKeId2qsGj928P/Trp0hJVkCRX7gHqAoVM2ILMzp4GNnma+dIgV K+tXE99v0eoZy91FHQOxdozfBQNzz4ZZr/YjMBoxM/Z0/HGSvXEAA7N6UPISo+gH yJx4hSDwY2CX+dUq0E3gVFMlnYa9U4WejXC9xPWFjybivK4S5yJnGH50Gwa5wUTP Pe22D9iBgayVwtca9ZUMgxa0jwi3SOZwO+OACGmu+jfTAzTloiijfUMh16VSL0le dI4ITWBLPCRrD1FxLbSB+Gf7wcoXA4MzghUbkqykVNwOADD/lMplRAWe1QxsMxum t45U/pIdrplcXPXugMgrFujQaQnh/uk4GoJx92tEphkTz8tFCyU1txfrGMFVliyK O2I3ZAGObSlUHoJSQEnpoVBAfWoL+MwZVyFvt1sCZHJ1S/D2Vb+NgY9avtSpaI0O B46ESni3j0rXXDUAS2YvlNMbQrw7Itg0uhcpcqYA1hLmHVARr8bqSwl8JkSK8WlR HY6xIfQ7OEqg27V7V7Kj =QNyO -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting Jonas Smedegaard (2015-06-20 12:51:10) > Quoting John Paul Adrian Glaubitz (2015-06-20 12:22:09) > > On 06/20/2015 05:45 PM, Jonas Smedegaard wrote: > >> Please elaborate what in cmus is "broken by default" - seems this > >> whole "issue" of yours stems from installing an additional package > >> only _suggested_ by cmus. > > > > It's not a Suggests, it's a Recommends: > > > > glaubitz@ikarus:~$ apt-cache depends cmus |grep roar > > Recommends: libroar2 > > glaubitz@ikarus:~$ > > > > and apt is - by default - configured to install Recommends. > > > > Installing cmus on a newly installed system will therefore install > > libdnet as a transitive dependency > > Agreed cmus pulls in the _library_ for dnet. Correction: I agree cmus pulls in the library for _ROAR_. > > and will result in cmus getting stuck directly after start as I have > > reported earlier in the first message in this bug report [1]. > > The first message for this bugreport talks about --with-suggests. > > Can you please clarify how cmus causes beakage rather than the use of > --with-suggests. Please do clarify above, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 12:22:09) > On 06/20/2015 05:45 PM, Jonas Smedegaard wrote: >> Please elaborate what in cmus is "broken by default" - seems this >> whole "issue" of yours stems from installing an additional package >> only _suggested_ by cmus. > > It's not a Suggests, it's a Recommends: > > glaubitz@ikarus:~$ apt-cache depends cmus |grep roar > Recommends: libroar2 > glaubitz@ikarus:~$ > > and apt is - by default - configured to install Recommends. > > Installing cmus on a newly installed system will therefore install > libdnet as a transitive dependency Agreed cmus pulls in the _library_ for dnet. > and will result in cmus getting stuck directly after start as I have > reported earlier in the first message in this bug report [1]. The first message for this bugreport talks about --with-suggests. Can you please clarify how cmus causes beakage rather than the use of --with-suggests. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 01:12 PM, Patrick Matthäi wrote: >> It's definitely the Debian way when a certain package >> functionality that maybe a handful people need breaks other >> packages. Then it's your duty as a good Debian maintainer to get >> rid of the old and broken stuff. And there have been more than >> one bug report against ROAR that asked to drop the DECnet >> dependency and you keep ignoring them. > > This is not true. Please attach links/emails where I ignored bug > reports/requests (on other channels). > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 Are you actually reading bug reports? Serious question. >> You are missing the point. I don't have a problem with fixing RC >> bugs. I have a problem having to fix RC bugs in packages that no >> one really uses anymore. In case you have forgotten, the release >> process for Wheezy was dragged along endlessly because the amount >> of RC bugs would simply not go down. Among such bugs were gems >> like Iceweasel crashing on sparc or libsnack (used by aMSN) >> having a buffer overflow vulnerability. Do you really think it's >> justified to hold the release back because of such ancient >> software? > > OK, so lets drop iceweasel? This is definitly offtopic here No, we dropped sparc as a release architecture as a result in case you missed that. >> They introduced automatic removal of packages affected by RC bugs >> for this very reason and the fact that DECnet is no longer >> maintained means that ROAR is permanently at risk being affected >> by RC bugs unless you think you can fix vulnerabilities or other >> serious bug in an ancient networking stack. > > Lets drop package XYZ: it may have got issues we didn't discovered, > yet.. No, let's drop package XYZ which _no_one_ maintains both upstream and downstream. It's absolutely a common practice in Debian and happens all the time. Here are some examples: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=206866 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=288112 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=179392 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=182434 I'm sorry Patrick, but I am starting to have doubts that you know how to do a proper job as a maintainer. You apparently don't read bug reports (as shown above), you don't know the details about your *own* packages (you claimed that libdnet is not a dependency which is simply untrue) and you apparently have never heard that Debian does, in fact, remove packages that are either buggy or no longer in active upstream development. We may really need to forward this to the technical committee and ask them to make a decision over the removal of the DECnet dependencies in ROAR as you are apparently completely out of touch with reality. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhaguAAoJEHQmOzf1tfkTjbAP/1mlLWcfl8KsBG4PphR1N+KF HJd/902m7bzEXZ6oKwOIwfAvDVN5VFS9WMELSVxx2fw7vthX/x5+Dvb858E3JqPa hk+R7yxobij1qCAz6c7P8L7DFJPvH3M/33WZllznh/QW/iL1mJCsO8MHImd9Phpn jNiFperP1KhHsWwTx94OMEQF0XZYWnaSAthEmkoDI0eN5o41Cy6xY8qM0o74vHgO t6KvXvMslquCvZo8ZCqf5xaPlbVjCcxWjmhPtRPiq3mqPQfSc1HVgQczMb28+Oyf /NfSH65LryzGyLwLX4IcELkmdcntL6YrbkDR8mVxOMFJorl5oNjBgdjfZQ3otDYI Cm2MwAdoBJgVb6aMrVVVbISreVYghes+dDkQmuiq7cCjJJMIY0zhU1GYkOB2LZwc V2O63WYVKvpUyftsXDn/xzQ7+kP5hjHRRTVCFzz8VigHk1+fmHYaZJNokXCcnHeh c/XTiW1N7dbcGnbGW5WOc77kIM4slRH/s+iMbJtT9IhQ8TgRgAIDqGCRYiMqu6/R cdtRAveQKFQwDHc3NNVxorBb1RYSm6e0oMzHAl2i/Au8LE3pNd9BP0+0LwIqkK7P vAeyDTVEXwStuGr8a9jmflKG17Fn5X65igEsPPb/xPM9W2RNUA/sbO8kPmQijcY3 mQuK5wPOkDx5xsuEuHiA =dkWi -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 01:06 PM, Stephan Jauernick wrote: > Could you please make a bug against roaraudio asking to drop the > libdnet dependency? There are already three of such bug reports: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 > https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027 This is why Ron asked in [1] to drop ROAR audio support in cmus because he felt it was pointless to continue the discussion with Patrick who thinks that in 2015 DECnet support is essential. Adrian > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675610 - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhaTVAAoJEHQmOzf1tfkT41cP/0BKOo+OhoXmF1devyIguX8R N80UjTOc6wI4Kc7WZROquz0NtgYvPKm+FOz55tFyMBRtsRWYeXryic49IT+2gs23 vOzkt//pI8B2TOJRS5ML965K6BVRsu0jj6tKzR0JLdsHpeUx5ZTvsrH6KNU6gR49 GB/5bNKm4LBu+CLH7ynA4QQW/MjEIFNyXZTL8eBwvs1fkyJLW88POYVD2/xP3bsM biEBxIURxl6f5QpEw85mSccTYxGmaXAbxFKpw/7rauhxRpSgTFTrL/SybpUYaXUk lvxqhecn5Bp84oQ6fiWPpKBmgo7YQeUq6oRkfwDUAj6x9UC0I01MUaKtclIisDVU wRxAR5v0M/O5Pwu7oUbftuKXp6LXd3JFju3sXmp1caDTFaM3y9mBpHCt2j2/AeOB A5/0btu0nMzCZg5FAynSkAnqlJR55o3Elo1j2b3KD+HTxy2qYmipqb3eryQ4Xqg2 iDAHDn8cVVLZSpZ2qwLCiVl0rWmlXpVrRfnBfs80vxBXkUyV4k9yTTvKlfFpU1Nk sppEqoPZnK6FhdD231n3ImZBL6wNlbXq37E9MQBLakgYyVlT2urBAAk+ubn8iNxy G1/iAbJ8QSyZIXDKvhAjnWPufz2PIs4yMfZQyamMTUq+Yj05LsSD6FcsNGDciinM 6dnCCLmWBp7IJTLWWkjS =7Uin -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 01:03 PM, Stephan Jauernick wrote: > Thanks for pointing that out. I was mistaken there. Sorry :( No worries, I don't think we disagree about the problem in general. > Can you maybe still provide a backtrace/strace log? This isn't really necessary as this isn't cmus crashing, it's cmus getting stuck because it's apparently waiting for the DECnet stack to become ready. I can't imagine that you cannot reproduce this on a clean install, I could reproduce it on all machines running at least Jessie. > Also are you running Debian 8 or Debian 9? I'm running unstable. But this problem is reproducible on Jessie and Stretch as well. After all, it were users at the department where I work who complained that cmus stopped working after upgrading to Jessie. There were no issues on Wheezy as the cmus version there was compiled without ROAR support. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhaQhAAoJEHQmOzf1tfkT58cQAMRzdF87vJBa2QSka8LCKPjH IBREOlAtKWjIGnUs7dDTL+wFc07QWcOorf7jQRAS80u4XPUw7ZitGf7+YV5/ABiv 7rN3d09CEPz3/cQdC3lia+ohrvyHUUDV5tTp4Y/tCCia4fqpXMhNOvOCvsFufRpQ gRy8vYq3GO5Pjfc6bcF48TR93bdrIMgpXXtn0aJz4UXX6LSgL5IEKMG9rFovWgc3 jhLbzQ1mOALdOa3ZSdGHP/8pP/Tvhf+gFHAARSCv9SoaRu5lihqqyio8WJYunP+V nopJ1mUSRKWw4ez17yerVesP33ymdQwa3FQCHqWGRxKHe79qxI06ZnrX8xx0JIJ5 tKA6KnBmwTvmTWxMc1VzbfYNBTcgQcD1VBQ6z/SFpn4N3mtcDtARw+G7UG3DW4n8 4zIMyhdZmFlf1UqIIK1mVIJIKtseoTPy++7IicAGQBVf+uE8b4ipFCsLy+/e4xT6 sV7aKeZxQtXA/70xEIwOcRxcSnwMU+bILDP4K7+tA2GSdVjK+kpmvRuQiqlZvJbD DCtCyUoX5vwU6e5jCqV3uuJTJnSVpc2zGepvqn/UxtNTgoKsrDukrD0Sc2HZeSzN FJVZKp7p5NUkg2Fd9fT0bVQ+Il7Aop7FmjxqHLNkCc89f1zD9oLcIOLdxJAqTITN uo7CzC2HJFJID/nI0hI0 =SIMg -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 06:56 PM, Patrick Matthäi wrote: >> I can't say what's right or best for cmus, but what is right for >> Debian seems fairly self evident to everyone but the roar >> maintainers. > > There is no depenedencie of *roar* to dnet at all. Excuse me? glaubitz@ikarus:~$ apt-cache depends libroar2 |grep dnet Depends: libdnet glaubitz@ikarus:~$ > Sorry Ron, but you are realy the last person who is responsible to > discuss about topic at all. Same topic as with mumble/celt... Well, he's right and I am pretty sure that all these bug reports with requests to drop DECnet support by various users agree: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 > https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027 Patrick, why are you so incredibly stubborn and refuse to accept that no one wants to have DECnet packages installed on their system when they want to use ROAR or cmus? Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhaKzAAoJEHQmOzf1tfkTTcwP/102v1XDucGnxEhP4d2KvRgc 4X2PogWQephFOhA/A1QDCA6jgA1if3uQSpprtNZMmF+VXkzf8sFedKaUEdXyDt93 RdViAShWA9RjTd82tq+vQna6dA+MRJ1UutuliUDH9iK6+a8TgRrnB6YQJp/tKmj9 +OQP42Fezb2saFuxQpsLV0FcjCEcgbjNDt8FEARUSk2kPhcDrybowKq0IAuG4CC6 Of3GCirZuwlRic5bV2/ZwJ3wgRykQ1wfjtseHydBXByLCYa5nRsngfHxkaYZiSQc lKdpqiKuWC6K8M0xhQVkN6jeOotqknPxXnUaDiKr2UYFeJrBy2CVJahtI52BaI0v xN2GF4iaiHYRPm8z5mpPAl1R+EEL05TlGcdzkerNFSjkfnjd/HIHCGaA8i1jl+Rk 09g378rjYMNMG+TYk9C6B/4iUE1Do2CXLSc9ph4pS0aWbv5EJcHi5dizllA3n/D7 xWMQkGATqPv3TwVbhc2JP+OQTUQdMpGJ0hifngeY7CDuhcMZE8fki2JafXZO6THB yQWGx9K0ZNCmyM47qk97Rery5yQCDmW2HJahUWABopyPfDlGdOSjCAQ5oO6PyfCO /Ewy0EAZ9VIWu0DW1d8poFXai0CUsuaEmJDd9PPc22G9lgZ5FNES5r0V/aHCR/7d YIAGnRyPY5rl3FuT+TAo =NLrR -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 05:45 PM, Jonas Smedegaard wrote: > Please elaborate what in cmus is "broken by default" - seems this > whole "issue" of yours stems from installing an additional package > only _suggested_ by cmus. It's not a Suggests, it's a Recommends: glaubitz@ikarus:~$ apt-cache depends cmus |grep roar Recommends: libroar2 glaubitz@ikarus:~$ and apt is - by default - configured to install Recommends. Installing cmus on a newly installed system will therefore install libdnet as a transitive dependency and will result in cmus getting stuck directly after start as I have reported earlier in the first message in this bug report [1]. Thanks, Adrian > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789256#5 - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhaFBAAoJEHQmOzf1tfkTqxQP/3MNmvOEeVLD3AEaT2ZGEP92 AU/v65LEhRjZG6BwnXMLEUfdpcMUq4SdGQ2ibY943VTFFpUdLjz3K7OynsN3QeyY sAWdWmBs/PDrC8c6oP16jm2vqpN6t3b2NknYpdgixftkAW+3KOMIGU7Xw9MN+Ogv oG7Fg53HFscBOJmFzs8Cxow25uYTpT2Jvu6KVpQyOI5WgMwM8p4oR5Ofvmt6Ftwf DZqoFzPq3Mp3bhO7QC2SFgKdwKnazbocIFBiPFBa/0VraoWTi6aeBmKk9ggtCBRK Krzv6SKTRcWmr5DgsPWDJHJVntTb9FUnoDyAqoUnUNcMlHKLMwgw2THNGLC0KMxm Zi1+7d+EmChAbhXGQvVhiEB1dUtI9nLaffI8NDmGXBChfKQTyxmNBFy8bYXWIjV7 3RcdIMVpf79phhlPaAClJk6b1ih0280fW6nCVI2qT1giL91peE6GN/HUn5tsZY7A YdeOxYQQ+VqR6f5jXgdw+Vh3t3YmZAosqQmG14AbYp8iY+1T/zpa27/HL3XCojwz fQHLz2q9dh2Sj2lIK56bvUARQ9o+55E/8bdU8A4FKeQj/mPSpalEJUNq9dVGptMS J12ZQtbIFcna6Ff8nMyLO5SiP0R94cf+yfrnbiyHh8D1IRYe9t+IVvryagXGu/A9 mM9xn2trKh8LudzmHZA6 =EfCN -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Am 20.06.2015 um 18:45 schrieb Ron: > On Sat, Jun 20, 2015 at 01:02:50PM +0200, John Paul Adrian Glaubitz wrote: >> On 06/20/2015 12:52 PM, Patrick Matthäi wrote: >>> I need roaraudio for myself? He is my buddy? I don't know him at >>> all :o John: please stop writing e-mails like this.. >> >> It's Adrian, not John, and I am just quoting Ron who certainly isn't >> making this stuff up. It has apparently always Stephan who came forward >> and ask for ROAR audio reactivation. > > You're confusing Patrick and Philipp :) I am not confused. >> But I couldn't find any evidence the _current_ maintainer of >> roaraudio has refused to remove DECnet support. The current bug >> about it has no replies. > > None of the people responsible for roar has changed in all the years > that people have been having trouble with this and trying to resolve > it, so if there's no new responses it seems fairly safe to assume > that their previous refusals still stand. > > I can't say what's right or best for cmus, but what is right for > Debian seems fairly self evident to everyone but the roar maintainers. There is no depenedencie of *roar* to dnet at all. > > > Personally I don't really see that this needs to go to the TC, it's > purely a maintainer decision for the cmus people whether they want to > support this as a dependency or not. And whether or not that's a sane > thing to do basically rests on whether the roar people actually engage > with resolving the ongoing concerns, or continue to insist that DECnet > being dead and obsolete is some kind of insidious conspiracy theory. Sorry Ron, but you are realy the last person who is responsible to discuss about topic at all. Same topic as with mumble/celt... -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ signature.asc Description: OpenPGP digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
On Sat, Jun 20, 2015 at 01:02:50PM +0200, John Paul Adrian Glaubitz wrote: > On 06/20/2015 12:52 PM, Patrick Matthäi wrote: > > I need roaraudio for myself? He is my buddy? I don't know him at > > all :o John: please stop writing e-mails like this.. > > It's Adrian, not John, and I am just quoting Ron who certainly isn't > making this stuff up. It has apparently always Stephan who came forward > and ask for ROAR audio reactivation. You're confusing Patrick and Philipp :) Not that it makes a whole lot of difference here, we've had exactly the same sort of rambling dismissal of this as a problem from both of them, every time somebody tried to resolve this (and I was far from the first to have been pulled into trying or needing to do that). James, Re: > But I couldn't find any evidence the _current_ maintainer of > roaraudio has refused to remove DECnet support. The current bug > about it has no replies. None of the people responsible for roar has changed in all the years that people have been having trouble with this and trying to resolve it, so if there's no new responses it seems fairly safe to assume that their previous refusals still stand. I can't say what's right or best for cmus, but what is right for Debian seems fairly self evident to everyone but the roar maintainers. Personally I don't really see that this needs to go to the TC, it's purely a maintainer decision for the cmus people whether they want to support this as a dependency or not. And whether or not that's a sane thing to do basically rests on whether the roar people actually engage with resolving the ongoing concerns, or continue to insist that DECnet being dead and obsolete is some kind of insidious conspiracy theory. Cheers, Ron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Quoting John Paul Adrian Glaubitz (2015-06-20 04:49:37) > On 06/19/2015 01:37 PM, James Cowgill wrote: >> From the bug: >>> RC severity mostly so this shows up on the radars of all the >>> right people crossing off the details we need to finalise for the >>> release. >> >> That doesn't apply here. > > stretch will be released at some point in the future and we will > exactly run into the same problem. We already did for Jessie where > cmus is now broken by default. Please elaborate what in cmus is "broken by default" - seems this whole "issue" of yours stems from installing an additional package only _suggested_ by cmus. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Am 20.06.2015 um 13:02 schrieb John Paul Adrian Glaubitz: > On 06/20/2015 12:52 PM, Patrick Matthäi wrote: >> I need roaraudio for myself? He is my buddy? I don't know him at >> all :o John: please stop writing e-mails like this.. > > It's Adrian, not John, and I am just quoting Ron who certainly isn't > making this stuff up. It has apparently always Stephan who came forward > and ask for ROAR audio reactivation. No, it was your e-mail. To quote it again: "except you and your buddy Patrick." Stop it, seriously.. > >>> If you desperately need ROAR audio in cmus, then you can rebuild >>> it manually. Debian should not keep packages that are dead >>> upstream, especially when it comes to network libraries. There is >>> _always_ the risk of these being the source of RC bugs. > >> This is defintily not the Debian packaging way: "just some people >> want to use it: build it yourself" > > It's definitely the Debian way when a certain package functionality > that maybe a handful people need breaks other packages. Then it's > your duty as a good Debian maintainer to get rid of the old and > broken stuff. And there have been more than one bug report against > ROAR that asked to drop the DECnet dependency and you keep ignoring > them. This is not true. Please attach links/emails where I ignored bug reports/requests (on other channels). > >>> I have fixed dozens of such packages during the Wheezy release >>> phase with NMU uploads because the original maintainer was MIA >>> and we really should try to avoid such problems in future >>> releases. > >> Thanks for fixing RC bugs, this is our job @ Debian :) > > You are missing the point. I don't have a problem with fixing RC > bugs. I have a problem having to fix RC bugs in packages that > no one really uses anymore. In case you have forgotten, the > release process for Wheezy was dragged along endlessly because > the amount of RC bugs would simply not go down. Among such bugs > were gems like Iceweasel crashing on sparc or libsnack (used > by aMSN) having a buffer overflow vulnerability. Do you really > think it's justified to hold the release back because of such > ancient software? OK, so lets drop iceweasel? This is definitly offtopic here > > They introduced automatic removal of packages affected by RC > bugs for this very reason and the fact that DECnet is no longer > maintained means that ROAR is permanently at risk being affected > by RC bugs unless you think you can fix vulnerabilities or > other serious bug in an ancient networking stack. Lets drop package XYZ: it may have got issues we didn't discovered, yet.. -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ signature.asc Description: OpenPGP digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
On Sat, Jun 20, 2015 at 12:42:57PM +0200, John Paul Adrian Glaubitz wrote: Hi Adrian, Could you please make a bug against roaraudio asking to drop the libdnet dependency? > Stephan, > > seriously, you are missing the point. Absolutely _no_one_ needs ROAR > audio with DECnet support except you and your buddy Patrick. > > If you desperately need ROAR audio in cmus, then you can rebuild it > manually. Debian should not keep packages that are dead upstream, > especially when it comes to network libraries. There is _always_ > the risk of these being the source of RC bugs. > > I have fixed dozens of such packages during the Wheezy release > phase with NMU uploads because the original maintainer was MIA > and we really should try to avoid such problems in future releases. > > Again, if you need ROAR audio in cmus, just rebuild the package > yourself. It's not magic and would save you and us a lot of time > and nerves. > > Thanks, > Adrian > > -- > .''`. John Paul Adrian Glaubitz > : :' : Debian Developer - glaub...@debian.org > `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de > `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 Kind Regards, Stephan signature.asc Description: Digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Hi Adrian, On Sat, Jun 20, 2015 at 12:47:57PM +0200, John Paul Adrian Glaubitz wrote: > On 06/20/2015 12:23 PM, Stephan Jauernick wrote: > > Is there a chance that you got slp installed? If yes. please try > > to remove it. On Jessie libslp gets pulled in automatically. > > Btw, how did you remove libslp1 without removing libroar2? > > glaubitz@ikarus:~$ aptitude why libslp1 > i cmus Recommends libroar2 > i A libroar2 Dependslibslp1 > glaubitz@ikarus:~$ > Thanks for pointing that out. I was mistaken there. Sorry :( Can you maybe still provide a backtrace/strace log? Also are you running Debian 8 or Debian 9? > Adrian > > -- > .''`. John Paul Adrian Glaubitz > : :' : Debian Developer - glaub...@debian.org > `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de > `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 Kind Regards, Stephan signature.asc Description: Digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 12:52 PM, Patrick Matthäi wrote: > I need roaraudio for myself? He is my buddy? I don't know him at > all :o John: please stop writing e-mails like this.. It's Adrian, not John, and I am just quoting Ron who certainly isn't making this stuff up. It has apparently always Stephan who came forward and ask for ROAR audio reactivation. >> If you desperately need ROAR audio in cmus, then you can rebuild >> it manually. Debian should not keep packages that are dead >> upstream, especially when it comes to network libraries. There is >> _always_ the risk of these being the source of RC bugs. > > This is defintily not the Debian packaging way: "just some people > want to use it: build it yourself" It's definitely the Debian way when a certain package functionality that maybe a handful people need breaks other packages. Then it's your duty as a good Debian maintainer to get rid of the old and broken stuff. And there have been more than one bug report against ROAR that asked to drop the DECnet dependency and you keep ignoring them. >> I have fixed dozens of such packages during the Wheezy release >> phase with NMU uploads because the original maintainer was MIA >> and we really should try to avoid such problems in future >> releases. > > Thanks for fixing RC bugs, this is our job @ Debian :) You are missing the point. I don't have a problem with fixing RC bugs. I have a problem having to fix RC bugs in packages that no one really uses anymore. In case you have forgotten, the release process for Wheezy was dragged along endlessly because the amount of RC bugs would simply not go down. Among such bugs were gems like Iceweasel crashing on sparc or libsnack (used by aMSN) having a buffer overflow vulnerability. Do you really think it's justified to hold the release back because of such ancient software? They introduced automatic removal of packages affected by RC bugs for this very reason and the fact that DECnet is no longer maintained means that ROAR is permanently at risk being affected by RC bugs unless you think you can fix vulnerabilities or other serious bug in an ancient networking stack. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhUhaAAoJEHQmOzf1tfkTZycQALLrt1ECi9I7T0CfD0FsE5ez YAs8s4oqQoByvjxHNNz1Gxvnjb/JS4Amr15FHZ4YjqYYv+/5j0zBoj8JLCUB/j/P OORjTagETPg3oYkej/XAiFH95eOoXf8BMPE5PvQkEAFfHv87nV7ou93yRWVEjZsh cFR1QDjot4ERwKnFqnDdyvvtfrtCfbzRrCrZ9u6jkWiqFi/wjL7bWLERweASfIWQ rn9sQ004uk2Y0euc5TXSoRcM4TuW4IWSUorfUbjC6CSiCu6MZZ1iSqVIe2ls4sFQ 5O/40GbWQbUhzzkBt+iPOD6lWqfn4BVEjwYTaq2XOAAFipBE8Lub7INcGLZ/aIb6 jjy8Sz/r9J5baJMiyXjiWR6LjgmbtE5JyCCU3J1WAzL8EpveLBsqmKXIspWcFoUX pvxGi8nqUoAkg2aJkpAoGbZuQo2Pt37K196ZNmvMgn4hG0ELqYLUD6z6jsIENOUj msmEPqvm1B7KwMIXMZmZhPAehPJmkRJ7SYJ0SpYzaXyjO+0bmgJ2VZlE90vrwStq 1b8p9CbGT7tH3zYv/qKAVn6DlDIeqh9Yzr2wC8Md9Y+rFiddCv1J+3vH9eczEP6D GbzyCK451bOooRCnq/22FyaGNhb7rEDrjLgeqVeMVeItMS2xPZ23AnqtHz5Q5mcx igChqM7E9jkKge2Ky4wl =2CmF -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Am 20.06.2015 um 12:42 schrieb John Paul Adrian Glaubitz: > Stephan, > > seriously, you are missing the point. Absolutely _no_one_ needs ROAR > audio with DECnet support except you and your buddy Patrick. I need roaraudio for myself? He is my buddy? I don't know him at all :o John: please stop writing e-mails like this.. > > If you desperately need ROAR audio in cmus, then you can rebuild it > manually. Debian should not keep packages that are dead upstream, > especially when it comes to network libraries. There is _always_ > the risk of these being the source of RC bugs. This is defintily not the Debian packaging way: "just some people want to use it: build it yourself" > > I have fixed dozens of such packages during the Wheezy release > phase with NMU uploads because the original maintainer was MIA > and we really should try to avoid such problems in future releases. Thanks for fixing RC bugs, this is our job @ Debian :) -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi GNU/Linux Debian Developer Blog: http://www.linux-dev.org/ E-Mail: pmatth...@debian.org patr...@linux-dev.org */ signature.asc Description: OpenPGP digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 12:23 PM, Stephan Jauernick wrote: > Is there a chance that you got slp installed? If yes. please try > to remove it. On Jessie libslp gets pulled in automatically. Btw, how did you remove libslp1 without removing libroar2? glaubitz@ikarus:~$ aptitude why libslp1 i cmus Recommends libroar2 i A libroar2 Dependslibslp1 glaubitz@ikarus:~$ Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhUTdAAoJEHQmOzf1tfkTmFgQAIC5bLAKeh2yeRi1rNC4YoNE v5okdk/dkvWt+Cf17J0Bmp6AcwAut0Tmqu0FCn0lq6qVrZNKumVIZ1MFFC12OVMd 7WQ80iGOmw7NnmUpLSEB/X5Zfw26fAEZInldsseYURiE8Lsx9OJWRQlYwiRpKnAZ TVH574fVgUxx/FBetrMejRmPwTdkGczMzP0vD7t1PWUCSXtkENiIWW5a7ZU4y/23 XVD24ow8dxpLYXS1hyfuU/8j9RJfh0B98SxKjD8xy6cfXthkLhSxAvF6Ul7zuz6z Y5mbcVFPkO3TKdyLk0KWrA2e8RUX3vUDAFgzIprkmV0zJ4dmndiq5RRXp3A7F7Lz pxXUE6v5aKcDOScw9Lt2dUpBcfo3/aa+3+HzE25m4X6QWzx7BoHYOE+mLSko3NUg ewcZXz5zKnvwMkWugaX8qhORiAlBCI3TS7s7mwLH5fj4ImRcnjXkWOqS8gXGjjem v7Jxw1Cz2WtQdCyoM5u3eLTwIKKALKoJPl7s5Wn8JPshuqOC3FA65kI2IASeaKAr GH4Fet6Bcn2/tJn8w0P6DS+1nnwP7Nr0Do3G4ar+6LBtPT1+eSy8cP9/B+7RCAIc hybGHK+ufIIzc7WvxK/F4E7KlBeLWf6zjwIiJiPgC6MyRBWRA4a2i3myWVqdEoM0 X2X1fdGmETC7YU3Zsb9J =myFt -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/20/2015 12:23 PM, Stephan Jauernick wrote: > Is there a chance that you got slp installed? If yes. please try > to remove it. On Jessie libslp gets pulled in automatically. Oh, and btw, removing essential packages like OpenSLP is _not_ an option. That's basically crippling functionality just because the ROAR developers can't get with the time and drop a network protocol that hasn't seen any serious use for at least 15 years. OpenSLP is a useful thing to have on most desktops and most people don't want to uninstall it just because of cmus. Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhUR1AAoJEHQmOzf1tfkTBigP/iXJE6t1eTZKiWUa/vFr2RxF ehQQSeCXO1Zeaey5yJKyc29fKD3NqKA9mRc24TYlrCvKYeaI4DNuSS6AOHAyZfEX DkIaTux1kAFqKPsvqvlFANIr7LuRefW8KL8Z/7k5OO1c6eYZ2wvIUp3zuyHDLMPJ Hfs+EKUYtWZJknLIZ63qxdhYwpYTXyrbwN9lRgrRyKdfwYToJ9yN1utPxEmJCBDD G1WQVSR9XXXdxnbAVyXEu+I5pVjtK7FTwRfaoZLctccrHpLfBUC6yrJFBmjHG2rO R+933na9VRJhD3XTEDumMi7uUtwj/+K8H2phwEVgSB2apRGorzTHwcX//MhDe22p QMDMk+Nu2HYF1zBi/uUrZ408wsayGSkTbAKJxZmYLEh9a3WaA7aQc/WsykgDepMh gi6wxp1x/O71GF2dW+7Ve/F1r5queATFAmSfSVvRXnawiZQqCok7pr6if0+5Nnjj x2h08UQhFRZkoGirNy1M4I8hdvyuj9qN9jIYuXt7qHYFXdbHXvS8V1FAiz72KRaP Puu+sguNWtCZ5Ae6P8Bh3R8634+w0+Jzh841S8hXDNXdvTbHB0kYkWvewzJdDjIt 63DurYweB//qaNxB4CGRYqp4RVxkzxJk/ztQVf73z6kHaqymzkXOT0l4saQ8vAfd C0K9DFJjgPSCyAAVuV6f =ia/7 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Stephan, seriously, you are missing the point. Absolutely _no_one_ needs ROAR audio with DECnet support except you and your buddy Patrick. If you desperately need ROAR audio in cmus, then you can rebuild it manually. Debian should not keep packages that are dead upstream, especially when it comes to network libraries. There is _always_ the risk of these being the source of RC bugs. I have fixed dozens of such packages during the Wheezy release phase with NMU uploads because the original maintainer was MIA and we really should try to avoid such problems in future releases. Again, if you need ROAR audio in cmus, just rebuild the package yourself. It's not magic and would save you and us a lot of time and nerves. Thanks, Adrian - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhUOxAAoJEHQmOzf1tfkTbAEQAJ/DawvDmQJcPQCNQm+MEd1F 0z1tFeGMRhxj/IXX+lkmbokX4R9gw1Zt50KwHSfb13UpP3rbc7VMRhbelcHUMUo2 FLFjb2z3jnfhh/aZ6kHKGWbW6gx7YzX9FDr4UeSoP0IzreFD+XFebp5/Ntoholr3 2I2q3EpOoCLbKhvjqG61jijNxn5eK+2vvXnzpbliwM0dWbmRrup3kzy+EyUBDNJy 4XNZ7u4WYilu7ILxKTkD07hq3dn35IY0PmvXn1jDeT85MfykprIO5cpZWPXg4GD8 4fbZkwNkK72H4VARUBH4Ot0uYCjwSwPKYc56V4djlBY3OdL/pNFLiLdrAG1Dv6A2 XRvRKd7QUSgq9qGZXLHaPPAbQ9IYEP4QNngb4tVCAvDtceoGQZPq1SytGfIr2ixF ZMRH2yVXsL8tP55+jsdSfC9OyBBCE9I32fZqW3bB0JZRIOh1mheVtc+klGBACn9r MeSEbW5Z4lV1SnrrkTcA1pmU5eI9V4qAGyUVD83Vwk7KXbZI/UOo9xeckT2c72Be 0WybQ1Zxi4G6cj+25FZccTHMZq93RScjGTpFgoQMk/z+vaBLVhtHnG/dXrDSBzzf +zdB1EiujXp3gLuF19EcZ62LGri310gJNszOXL1EWIcTkJlFQZwnOhNjBLMn3LtS QT/5hRB+1P8Akmubilwm =7wAC -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Hi, I will post the important part of one of my previous mails again: Is there a chance that you got slp installed? If yes. please try to remove it. On Jessie libslp gets pulled in automatically. I can't reproduce the bug on a fresh debian wheezy VM. And neither on a fresh debian jessie VM. Please attach system informations and a stacktrace to your bug on cmus. Wheezy does not install dnet/roar at all and Jessie installs libroar, libdnet and libslp. Both startup without problems. On Jessie i additionally get a warning about /etc/decnet.conf. Which is the info that decnet is not configured. I also ran two tests: 1. cmus Wheezy with https://archive.org/details/onclassical-quality-wav-audio-files-of-classical-music files: works nicely 2. cmus on Jessie with roaraudio as output: works as nicely as with the default soundserver I did not test on Debian 9 so far. I fear that I can't reproduce your issue. :( Kind Regards, Stephan signature.asc Description: Digital signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/19/2015 01:37 PM, James Cowgill wrote: > From the bug: >> RC severity mostly so this shows up on the radars of all the >> right people crossing off the details we need to finalise for the >> release. > > That doesn't apply here. stretch will be released at some point in the future and we will exactly run into the same problem. We already did for Jessie where cmus is now broken by default. > Hmm I personally can't get cmus to break this way but it could be > RC if it breaks in default installations. Did you remove your .cmus configuration directory? If you have an existing .cmus directory, it often works. However, this bug was discovered by someone at my physics department after upgrading to Jessie. Initially, .cmus immediately segfaulted with her old configuration directory. I asked her to rename it, so cmus would use a new directory and she ended up with the application being stuck at the start because of libdnet. It is clearly reproducible. Just did a test install on an unstable system where cmus was never installed and I get: glaubitz@ikarus:~$ cmus getnodeadd: Can not open /etc/decnet.conf Interestingly, on this machine there is a timeout and cmus starts eventually. However, I have seen machines (which had a static IP network configuration) where it hung forever. >> Which is my whole point. > > Then this is a bug in roaraudio / dnprogs, not cmus. No one denies that. However, the problem is that the ROAR people refuse to drop DECnet support and hence Ron asked in [1] to drop ROAR audio support. >> The ROAR developers and maintainers refuse to do that which is >> why we should drop it from cmus. They, for some reason, think >> it's important to support a pre-historic networking protocol. > > I found this bug: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 Which was closed with the message "Go away, I don't care." > This is the newer one: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 Which is, again, ignored. > But I couldn't find any evidence the _current_ maintainer of > roaraudio has refused to remove DECnet support. The current bug > about it has no replies. Quoting what Ron said who requested the removal in [1]: But basically roar was a disaster on lots of fronts as we were trying to wrap up the wheezy freeze. It was getting dragged in as a hard dependency by packages it was pretty hard to avoid having installed if you had any sort of media support application installed - and the DECNet farce meant that was breaking people's network configuration. It in turn was also depending on the obsolete celt package which we trying to get removed from wheezy - and every attempt to get its maintainers to try to fix these things was met with "what problem? I see no problem here. DECNet is essential functionality, we can't drop it ..." Which basically meant the only choice remaining was to get roar itself removed from wheezy (which meant dropping the deps on it for anything that didn't also want to get removed with it). AFAICT, about the only two actual users of roar in the world are Philipp, its primary author, and his mate Stephan (who filed all the "bring it back" bugs for him). If cmus is Recommending it again, then yeah, dropping that back to a suggests at the very least seems like a prudent move if it's still breaking people's systems ... Though if it's still going to break the systems of people who install it as a Suggests - and its upstream is still refusing to fix that after all these years of it being a known problem, I have to wonder a bit about even the value of that ... but that's really a question for the cmus users and maintainer to decide where the value lies. Adrian > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675610 - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVhTcxAAoJEHQmOzf1tfkTOq4P/R+TWffDmc9w4+LVPrVtNwFR Tg/GSmOGQk6WyXWVqZWD8EZLIOdSovnPcNd9l/Nig6DEI+3/XQmPq0CehX12qIiJ y8hNHwNvwyEKP3qQzYJ6fDtHUFuo+xF2CthHTta54bjF9/LiJktZwh5xSqAJrjk+ tC0g8iXjgffubxpHzMiVuWZAAXHhofzJ6KxUr8ppRHRJcuZCnK8hgjPCf8mqOZli rNj0MMTIu4YQI+cPyAKA6CZP3sgYqqBUKrDSqCKMkMwJypX+7ndFS6LFyJK5VlNM e8yk2bH9yZgy5wy5Rb/cT/me0W64lH2aKpT3tYGjyMtIG2y0Dsgej7+NUEOX64eN L+q4E4o/yR1ruirEeMQWe3YzigbI8xCJHFBslpSoVFG3+s7rgLJPTwo+oWKW0m/Z qAyy/TIyCLDa2V/Fnzf1TWo/5qFA0Y+XtKEApiwEFodMM+XgSWli/fKPbq36XJ6W Nbv9WMWj9w0L2i1lqsbcTFkhtX5TjhuTMNYPf3R0e1guniaz+clUsvwICJv9sJAP sbgFpHZwy6LLAt6mM6fBLO+WFdxucndQftnB5SyPp1ZWJ+yLQdai8uRq7IL0fl8F 0e4VcZrVbCKDgQ5Q4ER/lMpNY7gn3gq/vUpv9rg2ZPw3rbFNPv1llQ6WsuJZft+J cn2tauus+TRYWWIOY5Hq =EfUG -END PGP SIGNATURE-
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
severity 789256 wishlist retitle 789256 cmus: please drop support for ROAR thanks Quoting James Cowgill (2015-06-19 06:02:31) > On Fri, 2015-06-19 at 10:52 +0200, John Paul Adrian Glaubitz wrote: >> Severity: serious >> Justification: potentially breaks other packages >> As previously discussed, I am opening a bug report against cmus to >> drop ROAR support from cmus. The reason is that ROAR still depends on >> libdnet which is potentially dangerous as it may disrupt a user's >> network configuration [1] for users who run apt-get with >> --install-suggests and a consequently, the removal of ROAR audio >> support was previously requested in Debian [2] as well as Ubuntu [3]. > > Using apt-get with --install-suggests isn't that common so I don't > think this warrants an RC severity (it doesn't break the package for > everyone). cmus does not pull in ptentially dangerous packages - the package management system does, via the --install-suggests argument. This issue is therefore not even important, but only a wishlist issue of dropping a truly optional feature. Lowering accordingly. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: signature
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
(sorry I got the pts email addresses wrong before) On Fri, 2015-06-19 at 13:06 +0200, John Paul Adrian Glaubitz wrote: > On 06/19/2015 01:02 PM, James Cowgill wrote: > > Using apt-get with --install-suggests isn't that common so I don't > > think this warrants an RC severity (it doesn't break the package > > for everyone). > > It was RC severity before, see [1]. Furthermore, ROAR audio currently > breaks cmus because of DECnet and the ROAR developers refuse to > remove support for it. From the bug: > RC severity mostly so this shows up on the radars of all the right > people crossing off the details we need to finalise for the release. That doesn't apply here. Hmm I personally can't get cmus to break this way but it could be RC if it breaks in default installations. > > If you look at the status of DECnet: > > > > No kernel maintainer (except general net/ maintenance): > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/M > AINTAINERS?id=v4.1-rc8#n3060 > > > > dnprogs upstream appears to be dead: > > http://sourceforge.net/projects/linux-decnet/ > > > > dnprogs is orphaned: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750670 > > Which is my whole point. Then this is a bug in roaraudio / dnprogs, not cmus. > > IMHO dnprogs should be removed and roaraudio should drop support > > for DECnet - unless someone who actually uses DECnet is willing to > > maintain this stuff. > > The ROAR developers and maintainers refuse to do that which is why > we should drop it from cmus. They, for some reason, think it's important > to support a pre-historic networking protocol. I found this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675014 This is the newer one: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 But I couldn't find any evidence the _current_ maintainer of roaraudio has refused to remove DECnet support. The current bug about it has no replies. James signature.asc Description: This is a digitally signed message part
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/19/2015 01:02 PM, James Cowgill wrote: > Using apt-get with --install-suggests isn't that common so I don't > think this warrants an RC severity (it doesn't break the package > for everyone). It was RC severity before, see [1]. Furthermore, ROAR audio currently breaks cmus because of DECnet and the ROAR developers refuse to remove support for it. > If you look at the status of DECnet: > > No kernel maintainer (except general net/ maintenance): > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/M AINTAINERS?id=v4.1-rc8#n3060 > > dnprogs upstream appears to be dead: > http://sourceforge.net/projects/linux-decnet/ > > dnprogs is orphaned: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750670 Which is my whole point. > IMHO dnprogs should be removed and roaraudio should drop support > for DECnet - unless someone who actually uses DECnet is willing to > maintain this stuff. The ROAR developers and maintainers refuse to do that which is why we should drop it from cmus. They, for some reason, think it's important to support a pre-historic networking protocol. Adrian > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675610 - -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJVg/e0AAoJEHQmOzf1tfkT+74P+wVxyo0NG+WWOFuUMyYvgJK1 vusWXm4TCIuAmUDg87njOyXJnpaRzkQO65ikN3P4QXemak9RnwmaqWjo0SesZnso ikwKC0ZLr1sjoEb20ElW55UdKb9+XzFHZBjO2RoeMh7BZnz3E3mm9ZSSsmXabXFx lGV/GA4duPiRqdAfuPyRkcxTspOM59L+NIIo73CqTz/z0csC/GuC8KCjNYIVcIOz 7XfE0m6onaqbGoacTTsEP2D0FKHPx3ST+BECyZlKGqAZKj8NoP6n7xg1F/fBCBBb 6OcjO+w1IxhLhTePUFGbdmBd6U4XoVseeSZm+VfxuPB+DvN+mlrOkMkb+R0s7gis fQSMpGSYP5Bg/ppnwvZCQVvP74uP1Vu6LZO4vXwrPUJaprynVtJYuVhfGkVbUBtE b1IEERqzbHfEbwdHBFCRkvZG2Wq0hHdTTlur2orbFLow1Z0CihmigMGLZOY6/2l/ vFUmpaGyG/drcUpEZHK2cCLwUih7Vpso7IYjchm+j0I3IN+5EMapSBP6nhw7kORZ LrJysOqizfc9T/oasxJMl/N8teJvQSate17TSVmAb4IdvLXSsNO7unpwHd2xrKJe IYLRIMr2V16+27NeR9NUYZeDZ/hfgyQPiIc3u9d49agRyGBOGEezdxpiNhKoJRVW FpIcBYK5A2eMqzFa/Ub1 =yZR9 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Control: severity -1 important On Fri, 2015-06-19 at 10:52 +0200, John Paul Adrian Glaubitz wrote: > Package: cmus > Version: 2.5.0-7+b1 > Severity: serious > Justification: potentially breaks other packages > > Hello! > > As previously discussed, I am opening a bug report against cmus to drop > ROAR support from cmus. The reason is that ROAR still depends on libdnet > which is potentially dangerous as it may disrupt a user's network > configuration [1] for users who run apt-get with --install-suggests > and a consequently, the removal of ROAR audio support was previously > requested in Debian [2] as well as Ubuntu [3]. Using apt-get with --install-suggests isn't that common so I don't think this warrants an RC severity (it doesn't break the package for everyone). If you look at the status of DECnet: No kernel maintainer (except general net/ maintenance): https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/MAINTAINERS?id=v4.1-rc8#n3060 dnprogs upstream appears to be dead: http://sourceforge.net/projects/linux-decnet/ dnprogs is orphaned: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750670 IMHO dnprogs should be removed and roaraudio should drop support for DECnet - unless someone who actually uses DECnet is willing to maintain this stuff. Related bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755934 This would also mean that this bug would be fixed for any other consumers of roaraudio. Thanks, James signature.asc Description: This is a digitally signed message part
Bug#789256: cmus: Pulls in unwanted and potentially dangerous DECnet packages through libroar2
Package: cmus Version: 2.5.0-7+b1 Severity: serious Justification: potentially breaks other packages Hello! As previously discussed, I am opening a bug report against cmus to drop ROAR support from cmus. The reason is that ROAR still depends on libdnet which is potentially dangerous as it may disrupt a user's network configuration [1] for users who run apt-get with --install-suggests and a consequently, the removal of ROAR audio support was previously requested in Debian [2] as well as Ubuntu [3]. Furthermore, it has been observed, that ROAR with DECnet even directly affects cmus now, rendering the package unusable after installation, being stuck directly after starting cmus: glaubitz@z6:~> cmus getnodeadd: Can not open /etc/decnet.conf I therefore request the removal of ROAR support in cmus completely. If anyone needs this feature, they can just rebuild cmus locally since apparently there aren't any users for ROAR audio besides its original maintainer and his buddy who requested re-adding the feature in [4]. Thanks, Adrian > [1] https://lists.debian.org/debian-user/2011/09/msg00287.html > [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=675610 > [3] https://bugs.launchpad.net/ubuntu/+source/cmus/+bug/923027 > [4] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=680745 -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing'), (99, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.0.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cmus depends on: ii libao4 1.1.0-3 ii libasound2 1.0.28-1 ii libc6 2.19-18 ii libcddb21.3.2-5 ii libcdio-cdda1 0.83-4.2 ii libcdio13 0.83-4.2 ii libcue1 1.4.0-1 ii libfaad22.8.0~cvs20150510-1 ii libflac81.3.1-2 ii libmad0 0.15.1b-8 ii libmodplug1 1:0.8.8.4-4.1+b1 ii libmpcdec6 2:0.1~r459-4.1 ii libncursesw55.9+20150516-2 ii libtinfo5 5.9+20150516-2 ii libvorbisfile3 1.3.4-2 ii libwavpack1 4.75.0-1 Versions of packages cmus recommends: ii cmus-plugin-ffmpeg 2.5.0-7+b1 ii libpulse0 6.0-2 ii libroar21.0~beta11-1 cmus suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
