Re: Reporting unmaintained packages

[Francois Gouget]

On Thu, 21 Jan 2016, Chris Bannister wrote:
[...]
> Also, I'm under the impression that the bug submitter doesn't
> automatically get sent any responses to the bug report.

I don't know if I receive them all, but I do receive responses to bug 
reports I submitted.

I'm not so sure about bug reports where I just sent additional 
information. I think for those one has to explicitly subscribe to the 
bug which seems like a good idea.


-- 
Francois Gouget   http://fgouget.free.fr/
   La terre est une bêta...

Re: Reporting unmaintained packages

[Chris Bannister]

On Wed, Jan 20, 2016 at 07:19:00PM +, Brian wrote:
> On Wed 20 Jan 2016 at 20:02:37 +1300, Chris Bannister wrote:
> 
> > On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote:
> > > A small point: duplicate bugs are merged, not closed. You could do it if  
> > >   
> > > you are confident in your judgement. A more pertinent point is whether
> > >   
> > > you should be concerned yet about a lack of the response.  There could
> > >   
> > > be a perfectly good reason for it. A year can be but the blink of an  
> > >   
> > > eyelid in Debian's calendar. :)
> > 
> > Right, meanwhile the bug submitter is sitting around in the dark
> > wondering what the story is.
> 
> So, in addition to what the bug submitter has been told, the following
> advice is offered . . . . . Well?

A year is a long time to wait for an update on a bug report is what I'm
saying. Also, I'm under the impression that the bug submitter doesn't
automatically get sent any responses to the bug report. The reasons,
apparently, are because developers submit many bugs, some MBF, and don't
want to be 'swamped' with mail because of it.

So I'm guessing the submitter has to check the bug number from time to
time to check for any progress.

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X

Re: Reporting unmaintained packages

[Brian]

On Thu 21 Jan 2016 at 22:35:19 +1300, Chris Bannister wrote:

> On Wed, Jan 20, 2016 at 07:19:00PM +, Brian wrote:
> > On Wed 20 Jan 2016 at 20:02:37 +1300, Chris Bannister wrote:
> > 
> > > On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote:
> > > > A small point: duplicate bugs are merged, not closed. You could do it 
> > > > if
> > > > you are confident in your judgement. A more pertinent point is whether  
> > > > 
> > > > you should be concerned yet about a lack of the response.  There could  
> > > > 
> > > > be a perfectly good reason for it. A year can be but the blink of an
> > > > 
> > > > eyelid in Debian's calendar. :)
> > > 
> > > Right, meanwhile the bug submitter is sitting around in the dark
> > > wondering what the story is.
> > 
> > So, in addition to what the bug submitter has been told, the following
> > advice is offered . . . . . Well?
> 
> A year is a long time to wait for an update on a bug report is what I'm
> saying. Also, I'm under the impression that the bug submitter doesn't
> automatically get sent any responses to the bug report. The reasons,
> apparently, are because developers submit many bugs, some MBF, and don't
> want to be 'swamped' with mail because of it.
> 
> So I'm guessing the submitter has to check the bug number from time to
> time to check for any progress.

It is possible to subscribe to an individual bug or package:

https://www.debian.org/Bugs/Developer#subscribe

Re: Reporting unmaintained packages

[Brian]

On Wed 20 Jan 2016 at 20:02:37 +1300, Chris Bannister wrote:

> On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote:
> > A small point: duplicate bugs are merged, not closed. You could do it if
> > 
> > you are confident in your judgement. A more pertinent point is whether  
> > 
> > you should be concerned yet about a lack of the response.  There could  
> > 
> > be a perfectly good reason for it. A year can be but the blink of an
> > 
> > eyelid in Debian's calendar. :)
> 
> Right, meanwhile the bug submitter is sitting around in the dark
> wondering what the story is.

So, in addition to what the bug submitter has been told, the following
advice is offered . . . . . Well?

Re: Reporting unmaintained packages

[Brian]

On Tue 19 Jan 2016 at 16:27:36 +0100, Francois Gouget wrote:

> On Mon, 18 Jan 2016, Francesco Ariis wrote:
> 
> > On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote:
> > >> The clamav-unofficial-sigs package has quite important bugs that cause 
> > >> it to fail to retrieve the SecuriteInfo virus signatures and send cron 
> > >> spam every 4 hours.
> > >> 
> > >> [..]
> > >> 
> > >> So what's the proper way to report this issue?
> > 
> > Hello Francois,
> > I assume the bug you are talking about is #783228 [1].
> > clamav-unofficial-sigs is not maintained by a single person, but by
> > ClamAV Team.
> 
> Actually I think the following three bugs are duplicates of each other. 
> At least now if not initially (various SecuriteInfo databases went 
> offline progressively so symptoms changed over time).
> 
> * 783228: clamav-unofficial-sigs: securiteinfo databases not available any 
> more
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
> 
> * 784832: clamav-unofficial-sigs: Multiple error message at each execution
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784832
> 
> * 774763: clamav-unofficial-sigs: Updating the databases timeouts on a 
> regular basis
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774763
>   (the timeouts are now 404s)
> 
> Here is the activity for these bugs:
> 
> Bug| Reported   | User-provided workaround | ClamAV Team reply
> 774763 | 2015/01/07 | 2015/04/24   | none
> 783228 | 2015/04/24 | 2015/04/24   | none
> 784832 | 2015/05/09 | 2016/01/18   | none
> 
> So the the issues were reported over a year ago, workarounds provided 
> over 8 months ago, but the ClamAV team is nowhere to be found, hasn't 
> asked for more details, hasn't closed duplicate bugs, hasn't made any 
> new release of this package.

A small point: duplicate bugs are merged, not closed. You could do it if

you are confident in your judgement. A more pertinent point is whether  

you should be concerned yet about a lack of the response.  There could  

be a perfectly good reason for it. A year can be but the blink of an

eyelid in Debian's calendar. :)
 
> So I did send more data for bug 774763 and 784832 but I'm mostly just 
> repeating information that's already available on bug 783228. So given 
> that information was available 9 months ago I'm not too hopeful.
> 
> I could also send a patch but is it really necessary when the 'fix' is 
> as simple as setting si_dbs="" in 00-clamav-unofficial-sigs.conf as was 
> described in bug 783228 (again, 9 months ago)?
> 
> The right fix might be to upgrade to the newer upstream version 
> available from GitHub as reported in bug 785130, 9 months ago (that bug 
> got no reply at all).
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130
> 
> But then is it really the place of a user to provide a brand new package 
> for the maintainer to just push out? And I'm not willing to take over 
> maintainership because a) I'm not a Debian developer and b) I know I 
> won't have time to keep doing it.

You've done what you can do. The trick is not to get too disheartened.

Re: Reporting unmaintained packages

[Chris Bannister]

On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote:
> A small point: duplicate bugs are merged, not closed. You could do it if  
>   
> you are confident in your judgement. A more pertinent point is whether
>   
> you should be concerned yet about a lack of the response.  There could
>   
> be a perfectly good reason for it. A year can be but the blink of an  
>   
> eyelid in Debian's calendar. :)

Right, meanwhile the bug submitter is sitting around in the dark
wondering what the story is.

-- 
"If you're not careful, the newspapers will have you hating the people
who are being oppressed, and loving the people who are doing the 
oppressing." --- Malcolm X

Re: Reporting unmaintained packages

[Francois Gouget]

On Mon, 18 Jan 2016, Francesco Ariis wrote:

> On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote:
> >> The clamav-unofficial-sigs package has quite important bugs that cause 
> >> it to fail to retrieve the SecuriteInfo virus signatures and send cron 
> >> spam every 4 hours.
> >> 
> >> [..]
> >> 
> >> So what's the proper way to report this issue?
> 
> Hello Francois,
> I assume the bug you are talking about is #783228 [1].
> clamav-unofficial-sigs is not maintained by a single person, but by
> ClamAV Team.

Actually I think the following three bugs are duplicates of each other. 
At least now if not initially (various SecuriteInfo databases went 
offline progressively so symptoms changed over time).

* 783228: clamav-unofficial-sigs: securiteinfo databases not available any more
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228

* 784832: clamav-unofficial-sigs: Multiple error message at each execution
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784832

* 774763: clamav-unofficial-sigs: Updating the databases timeouts on a regular 
basis
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774763
  (the timeouts are now 404s)

Here is the activity for these bugs:

Bug| Reported   | User-provided workaround | ClamAV Team reply
774763 | 2015/01/07 | 2015/04/24   | none
783228 | 2015/04/24 | 2015/04/24   | none
784832 | 2015/05/09 | 2016/01/18   | none

So the the issues were reported over a year ago, workarounds provided 
over 8 months ago, but the ClamAV team is nowhere to be found, hasn't 
asked for more details, hasn't closed duplicate bugs, hasn't made any 
new release of this package.

So I did send more data for bug 774763 and 784832 but I'm mostly just 
repeating information that's already available on bug 783228. So given 
that information was available 9 months ago I'm not too hopeful.

I could also send a patch but is it really necessary when the 'fix' is 
as simple as setting si_dbs="" in 00-clamav-unofficial-sigs.conf as was 
described in bug 783228 (again, 9 months ago)?

The right fix might be to upgrade to the newer upstream version 
available from GitHub as reported in bug 785130, 9 months ago (that bug 
got no reply at all).

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130

But then is it really the place of a user to provide a brand new package 
for the maintainer to just push out? And I'm not willing to take over 
maintainership because a) I'm not a Debian developer and b) I know I 
won't have time to keep doing it.
 

-- 
Francois Gouget   http://fgouget.free.fr/
   La terre est une bêta...

Re: Reporting unmaintained packages

[Cindy-Sue Causey]

On 1/18/16, Brian  wrote:
> On Mon 18 Jan 2016 at 12:36:34 +0100, Francois Gouget wrote:
>
>> I'm not sure the developer is MIA but he does have quite a few other
>> packages to maintain so may he's swamped or just lost interest in this
>> particular package.
>> https://qa.debian.org/developer.php?login=Paul+Wise
>
> Paul Wise is a very active maintainer.


In fact... Pabs is "very active" over at Debian-Mentors

https://lists.debian.org/debian-mentors

Rightly or wrongly, it's coming across that a potential fix may be
apparent to someone (the original poster?). If so, Debian-Mentors
would be one great place to connect up with several very active
maintainers to gain guidance on how to submit one's own patch towards
fixing a known bug.


>> Having that having out of date or missing virus signatures has security
>> implications (more for some users that others, I'll grant you), getting
>> a handle on these bugs seems quite important.
>>
>> So what's the proper way to report this issue?
>
> A bug report. After reading the existing ones.


I may not be remembering this quite right(ly), but it SEEMS LIKE the
Debian package "reportbug" offers users an on-the-spot opportunity to
submit patches pertinent to their reported bug(s).

Just thinking out loud again. :)

Cindy :)

-- 
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* hm. *

Re: Reporting unmaintained packages

[Francesco Ariis]

On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote:
>> The clamav-unofficial-sigs package has quite important bugs that cause 
>> it to fail to retrieve the SecuriteInfo virus signatures and send cron 
>> spam every 4 hours.
>> 
>> [..]
>> 
>> So what's the proper way to report this issue?

Hello Francois,
I assume the bug you are talking about is #783228 [1].
clamav-unofficial-sigs is not maintained by a single person, but by
ClamAV Team.
So if you reply to the bug (783...@bugs.debian.org), the mail should go
to their list [2]. As usual with human matters, I bet the more
clear/helpful you are, the likelier a positive outcome will be :P.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
[2] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel


On Mon, Jan 18, 2016 at 01:45:01PM +, Brian wrote:
> A bug report. After reading the existing ones.

He's talking about an already open bug report, having obviously checked
it. I am starting to wonder if you even fully read the messages you
reply to.

Re: Reporting unmaintained packages

[Brian]

On Mon 18 Jan 2016 at 12:36:34 +0100, Francois Gouget wrote:

> 
> The clamav-unofficial-sigs package has quite important bugs that cause 
> it to fail to retrieve the SecuriteInfo virus signatures and send cron 
> spam every 4 hours.
> 
> These issues were reported in april 2015 and changing the package so it 
> no longer tries to retrieve these virus signatures if they are no longer 
> available would be quite simple. Despite this the package has not been 
> updated since 2014.
> 
> I'm not sure the developer is MIA but he does have quite a few other 
> packages to maintain so may he's swamped or just lost interest in this 
> particular package.
> https://qa.debian.org/developer.php?login=Paul+Wise

Paul Wise is a very active maintainer.
 
> Having that having out of date or missing virus signatures has security 
> implications (more for some users that others, I'll grant you), getting 
> a handle on these bugs seems quite important.
> 
> 
> So what's the proper way to report this issue?

A bug report. After reading the existing ones.

Reporting unmaintained packages

[Francois Gouget]

The clamav-unofficial-sigs package has quite important bugs that cause 
it to fail to retrieve the SecuriteInfo virus signatures and send cron 
spam every 4 hours.

These issues were reported in april 2015 and changing the package so it 
no longer tries to retrieve these virus signatures if they are no longer 
available would be quite simple. Despite this the package has not been 
updated since 2014.

I'm not sure the developer is MIA but he does have quite a few other 
packages to maintain so may he's swamped or just lost interest in this 
particular package.
https://qa.debian.org/developer.php?login=Paul+Wise

Having that having out of date or missing virus signatures has security 
implications (more for some users that others, I'll grant you), getting 
a handle on these bugs seems quite important.


So what's the proper way to report this issue?

-- 
Francois Gouget   http://fgouget.free.fr/
  E-Voting: It's not the people who vote that count.
 It's the people who count the votes.

Re: Reporting unmaintained packages

[Brian]

On Mon 18 Jan 2016 at 15:40:57 +0100, Francesco Ariis wrote:

> On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote:
> >> The clamav-unofficial-sigs package has quite important bugs that cause 
> >> it to fail to retrieve the SecuriteInfo virus signatures and send cron 
> >> spam every 4 hours.
> >> 
> >> [..]
> >> 
> >> So what's the proper way to report this issue?
> 
> Hello Francois,
> I assume the bug you are talking about is #783228 [1].
> clamav-unofficial-sigs is not maintained by a single person, but by
> ClamAV Team.
> So if you reply to the bug (783...@bugs.debian.org), the mail should go
> to their list [2]. As usual with human matters, I bet the more
> clear/helpful you are, the likelier a positive outcome will be :P.
> 
> [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
> [2] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
> 
> 
> On Mon, Jan 18, 2016 at 01:45:01PM +, Brian wrote:
> > A bug report. After reading the existing ones.
> 
> He's talking about an already open bug report, having obviously checked
> it. I am starting to wonder if you even fully read the messages you
> reply to.

We both recommend submitting a bug report. Unfortunately, my mind reading
and assumption skills are not completely operative at the best of times,
so what the OP has read or not read didn't figure in my response.