Re: Reporting unmaintained packages
On Thu, 21 Jan 2016, Chris Bannister wrote: [...] > Also, I'm under the impression that the bug submitter doesn't > automatically get sent any responses to the bug report. I don't know if I receive them all, but I do receive responses to bug reports I submitted. I'm not so sure about bug reports where I just sent additional information. I think for those one has to explicitly subscribe to the bug which seems like a good idea. -- Francois Gougethttp://fgouget.free.fr/ La terre est une bĂȘta...
Re: Reporting unmaintained packages
On Wed, Jan 20, 2016 at 07:19:00PM +, Brian wrote: > On Wed 20 Jan 2016 at 20:02:37 +1300, Chris Bannister wrote: > > > On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote: > > > A small point: duplicate bugs are merged, not closed. You could do it if > > > > > > you are confident in your judgement. A more pertinent point is whether > > > > > > you should be concerned yet about a lack of the response. There could > > > > > > be a perfectly good reason for it. A year can be but the blink of an > > > > > > eyelid in Debian's calendar. :) > > > > Right, meanwhile the bug submitter is sitting around in the dark > > wondering what the story is. > > So, in addition to what the bug submitter has been told, the following > advice is offered . . . . . Well? A year is a long time to wait for an update on a bug report is what I'm saying. Also, I'm under the impression that the bug submitter doesn't automatically get sent any responses to the bug report. The reasons, apparently, are because developers submit many bugs, some MBF, and don't want to be 'swamped' with mail because of it. So I'm guessing the submitter has to check the bug number from time to time to check for any progress. -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X
Re: Reporting unmaintained packages
On Thu 21 Jan 2016 at 22:35:19 +1300, Chris Bannister wrote: > On Wed, Jan 20, 2016 at 07:19:00PM +, Brian wrote: > > On Wed 20 Jan 2016 at 20:02:37 +1300, Chris Bannister wrote: > > > > > On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote: > > > > A small point: duplicate bugs are merged, not closed. You could do it > > > > if > > > > you are confident in your judgement. A more pertinent point is whether > > > > > > > > you should be concerned yet about a lack of the response. There could > > > > > > > > be a perfectly good reason for it. A year can be but the blink of an > > > > > > > > eyelid in Debian's calendar. :) > > > > > > Right, meanwhile the bug submitter is sitting around in the dark > > > wondering what the story is. > > > > So, in addition to what the bug submitter has been told, the following > > advice is offered . . . . . Well? > > A year is a long time to wait for an update on a bug report is what I'm > saying. Also, I'm under the impression that the bug submitter doesn't > automatically get sent any responses to the bug report. The reasons, > apparently, are because developers submit many bugs, some MBF, and don't > want to be 'swamped' with mail because of it. > > So I'm guessing the submitter has to check the bug number from time to > time to check for any progress. It is possible to subscribe to an individual bug or package: https://www.debian.org/Bugs/Developer#subscribe
Re: Reporting unmaintained packages
On Wed 20 Jan 2016 at 20:02:37 +1300, Chris Bannister wrote: > On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote: > > A small point: duplicate bugs are merged, not closed. You could do it if > > > > you are confident in your judgement. A more pertinent point is whether > > > > you should be concerned yet about a lack of the response. There could > > > > be a perfectly good reason for it. A year can be but the blink of an > > > > eyelid in Debian's calendar. :) > > Right, meanwhile the bug submitter is sitting around in the dark > wondering what the story is. So, in addition to what the bug submitter has been told, the following advice is offered . . . . . Well?
Re: Reporting unmaintained packages
On Tue 19 Jan 2016 at 16:27:36 +0100, Francois Gouget wrote: > On Mon, 18 Jan 2016, Francesco Ariis wrote: > > > On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote: > > >> The clamav-unofficial-sigs package has quite important bugs that cause > > >> it to fail to retrieve the SecuriteInfo virus signatures and send cron > > >> spam every 4 hours. > > >> > > >> [..] > > >> > > >> So what's the proper way to report this issue? > > > > Hello Francois, > > I assume the bug you are talking about is #783228 [1]. > > clamav-unofficial-sigs is not maintained by a single person, but by > > ClamAV Team. > > Actually I think the following three bugs are duplicates of each other. > At least now if not initially (various SecuriteInfo databases went > offline progressively so symptoms changed over time). > > * 783228: clamav-unofficial-sigs: securiteinfo databases not available any > more > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 > > * 784832: clamav-unofficial-sigs: Multiple error message at each execution > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784832 > > * 774763: clamav-unofficial-sigs: Updating the databases timeouts on a > regular basis > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774763 > (the timeouts are now 404s) > > Here is the activity for these bugs: > > Bug| Reported | User-provided workaround | ClamAV Team reply > 774763 | 2015/01/07 | 2015/04/24 | none > 783228 | 2015/04/24 | 2015/04/24 | none > 784832 | 2015/05/09 | 2016/01/18 | none > > So the the issues were reported over a year ago, workarounds provided > over 8 months ago, but the ClamAV team is nowhere to be found, hasn't > asked for more details, hasn't closed duplicate bugs, hasn't made any > new release of this package. A small point: duplicate bugs are merged, not closed. You could do it if you are confident in your judgement. A more pertinent point is whether you should be concerned yet about a lack of the response. There could be a perfectly good reason for it. A year can be but the blink of an eyelid in Debian's calendar. :) > So I did send more data for bug 774763 and 784832 but I'm mostly just > repeating information that's already available on bug 783228. So given > that information was available 9 months ago I'm not too hopeful. > > I could also send a patch but is it really necessary when the 'fix' is > as simple as setting si_dbs="" in 00-clamav-unofficial-sigs.conf as was > described in bug 783228 (again, 9 months ago)? > > The right fix might be to upgrade to the newer upstream version > available from GitHub as reported in bug 785130, 9 months ago (that bug > got no reply at all). > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130 > > But then is it really the place of a user to provide a brand new package > for the maintainer to just push out? And I'm not willing to take over > maintainership because a) I'm not a Debian developer and b) I know I > won't have time to keep doing it. You've done what you can do. The trick is not to get too disheartened.
Re: Reporting unmaintained packages
On Tue, Jan 19, 2016 at 07:03:33PM +, Brian wrote: > A small point: duplicate bugs are merged, not closed. You could do it if > > you are confident in your judgement. A more pertinent point is whether > > you should be concerned yet about a lack of the response. There could > > be a perfectly good reason for it. A year can be but the blink of an > > eyelid in Debian's calendar. :) Right, meanwhile the bug submitter is sitting around in the dark wondering what the story is. -- "If you're not careful, the newspapers will have you hating the people who are being oppressed, and loving the people who are doing the oppressing." --- Malcolm X
Re: Reporting unmaintained packages
On Mon, 18 Jan 2016, Francesco Ariis wrote: > On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote: > >> The clamav-unofficial-sigs package has quite important bugs that cause > >> it to fail to retrieve the SecuriteInfo virus signatures and send cron > >> spam every 4 hours. > >> > >> [..] > >> > >> So what's the proper way to report this issue? > > Hello Francois, > I assume the bug you are talking about is #783228 [1]. > clamav-unofficial-sigs is not maintained by a single person, but by > ClamAV Team. Actually I think the following three bugs are duplicates of each other. At least now if not initially (various SecuriteInfo databases went offline progressively so symptoms changed over time). * 783228: clamav-unofficial-sigs: securiteinfo databases not available any more https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 * 784832: clamav-unofficial-sigs: Multiple error message at each execution https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784832 * 774763: clamav-unofficial-sigs: Updating the databases timeouts on a regular basis https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774763 (the timeouts are now 404s) Here is the activity for these bugs: Bug| Reported | User-provided workaround | ClamAV Team reply 774763 | 2015/01/07 | 2015/04/24 | none 783228 | 2015/04/24 | 2015/04/24 | none 784832 | 2015/05/09 | 2016/01/18 | none So the the issues were reported over a year ago, workarounds provided over 8 months ago, but the ClamAV team is nowhere to be found, hasn't asked for more details, hasn't closed duplicate bugs, hasn't made any new release of this package. So I did send more data for bug 774763 and 784832 but I'm mostly just repeating information that's already available on bug 783228. So given that information was available 9 months ago I'm not too hopeful. I could also send a patch but is it really necessary when the 'fix' is as simple as setting si_dbs="" in 00-clamav-unofficial-sigs.conf as was described in bug 783228 (again, 9 months ago)? The right fix might be to upgrade to the newer upstream version available from GitHub as reported in bug 785130, 9 months ago (that bug got no reply at all). https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130 But then is it really the place of a user to provide a brand new package for the maintainer to just push out? And I'm not willing to take over maintainership because a) I'm not a Debian developer and b) I know I won't have time to keep doing it. -- Francois Gougethttp://fgouget.free.fr/ La terre est une bĂȘta...
Re: Reporting unmaintained packages
On 1/18/16, Brianwrote: > On Mon 18 Jan 2016 at 12:36:34 +0100, Francois Gouget wrote: > >> I'm not sure the developer is MIA but he does have quite a few other >> packages to maintain so may he's swamped or just lost interest in this >> particular package. >> https://qa.debian.org/developer.php?login=Paul+Wise > > Paul Wise is a very active maintainer. In fact... Pabs is "very active" over at Debian-Mentors https://lists.debian.org/debian-mentors Rightly or wrongly, it's coming across that a potential fix may be apparent to someone (the original poster?). If so, Debian-Mentors would be one great place to connect up with several very active maintainers to gain guidance on how to submit one's own patch towards fixing a known bug. >> Having that having out of date or missing virus signatures has security >> implications (more for some users that others, I'll grant you), getting >> a handle on these bugs seems quite important. >> >> So what's the proper way to report this issue? > > A bug report. After reading the existing ones. I may not be remembering this quite right(ly), but it SEEMS LIKE the Debian package "reportbug" offers users an on-the-spot opportunity to submit patches pertinent to their reported bug(s). Just thinking out loud again. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * hm. *
Re: Reporting unmaintained packages
On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote: >> The clamav-unofficial-sigs package has quite important bugs that cause >> it to fail to retrieve the SecuriteInfo virus signatures and send cron >> spam every 4 hours. >> >> [..] >> >> So what's the proper way to report this issue? Hello Francois, I assume the bug you are talking about is #783228 [1]. clamav-unofficial-sigs is not maintained by a single person, but by ClamAV Team. So if you reply to the bug (783...@bugs.debian.org), the mail should go to their list [2]. As usual with human matters, I bet the more clear/helpful you are, the likelier a positive outcome will be :P. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 [2] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel On Mon, Jan 18, 2016 at 01:45:01PM +, Brian wrote: > A bug report. After reading the existing ones. He's talking about an already open bug report, having obviously checked it. I am starting to wonder if you even fully read the messages you reply to.
Re: Reporting unmaintained packages
On Mon 18 Jan 2016 at 12:36:34 +0100, Francois Gouget wrote: > > The clamav-unofficial-sigs package has quite important bugs that cause > it to fail to retrieve the SecuriteInfo virus signatures and send cron > spam every 4 hours. > > These issues were reported in april 2015 and changing the package so it > no longer tries to retrieve these virus signatures if they are no longer > available would be quite simple. Despite this the package has not been > updated since 2014. > > I'm not sure the developer is MIA but he does have quite a few other > packages to maintain so may he's swamped or just lost interest in this > particular package. > https://qa.debian.org/developer.php?login=Paul+Wise Paul Wise is a very active maintainer. > Having that having out of date or missing virus signatures has security > implications (more for some users that others, I'll grant you), getting > a handle on these bugs seems quite important. > > > So what's the proper way to report this issue? A bug report. After reading the existing ones.
Reporting unmaintained packages
The clamav-unofficial-sigs package has quite important bugs that cause it to fail to retrieve the SecuriteInfo virus signatures and send cron spam every 4 hours. These issues were reported in april 2015 and changing the package so it no longer tries to retrieve these virus signatures if they are no longer available would be quite simple. Despite this the package has not been updated since 2014. I'm not sure the developer is MIA but he does have quite a few other packages to maintain so may he's swamped or just lost interest in this particular package. https://qa.debian.org/developer.php?login=Paul+Wise Having that having out of date or missing virus signatures has security implications (more for some users that others, I'll grant you), getting a handle on these bugs seems quite important. So what's the proper way to report this issue? -- Francois Gougethttp://fgouget.free.fr/ E-Voting: It's not the people who vote that count. It's the people who count the votes.
Re: Reporting unmaintained packages
On Mon 18 Jan 2016 at 15:40:57 +0100, Francesco Ariis wrote: > On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote: > >> The clamav-unofficial-sigs package has quite important bugs that cause > >> it to fail to retrieve the SecuriteInfo virus signatures and send cron > >> spam every 4 hours. > >> > >> [..] > >> > >> So what's the proper way to report this issue? > > Hello Francois, > I assume the bug you are talking about is #783228 [1]. > clamav-unofficial-sigs is not maintained by a single person, but by > ClamAV Team. > So if you reply to the bug (783...@bugs.debian.org), the mail should go > to their list [2]. As usual with human matters, I bet the more > clear/helpful you are, the likelier a positive outcome will be :P. > > [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228 > [2] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel > > > On Mon, Jan 18, 2016 at 01:45:01PM +, Brian wrote: > > A bug report. After reading the existing ones. > > He's talking about an already open bug report, having obviously checked > it. I am starting to wonder if you even fully read the messages you > reply to. We both recommend submitting a bug report. Unfortunately, my mind reading and assumption skills are not completely operative at the best of times, so what the OP has read or not read didn't figure in my response.