Package: metastore Version: 1+20080623+debian-5 Severity: important Dear Maintainer,
I am official maintainer of metastore project since commit f65c0a03c214 done by David Härdeman, who was the previous metastore maintainer (and co-maintainer of Debian package). He ceded maintainership of metastore to me publicly via GitHub PR (because GitHub was where I was developing my metastore continuation, unofficial back then): https://github.com/przemoc/metastore/pull/32 I merged commit f65c0a03c214 on the same day, i.e. 2015-10-26. Before that happened I reported important xattr-related bug to Debian on 2015-09-07 (#798222) and provided a patch (commit 489d58670283, 2015-09-06), but there was no action from your side. A few months later another important xattr-related bug has been discovered and fixed (commit 98e73203bf9d, 2016-01-12). On 2016-01-31 I mailed you about metastore-announce mailing list (very low traffic - 2 mails/year so far), which archive is available at: https://www.freelists.org/archive/metastore-announce/ You didn't subscribe to it. metastore 1.1.0 has been released shortly after (commit 0197117b4411, 2016-02-01). Recently another important xattr-related bug manifesting on 64-bit platforms has been discovered (maybe even CVE-worthy) and fixed (commit 5b060d5b7f0d, 2017-11-24), and I quite quickly informed about it on ML: https://www.freelists.org/post/metastore-announce/Serious-xattrrelated-bug-in-metastore-v110 Unfortunately back then I didn't have time and other resources to do the release, so it was delayed until yesterday night, or actually today, to be precise. metastore 1.1.1 has been released with commit 56f3f9228dfe, pointed by annotated and GPG-signed tag v1.1.1. Announcement on mailing list: https://www.freelists.org/post/metastore-announce/metastore-v111 I still use Debian from time to time, so it pains me that metastore is in such neglected state here. I am not willing to become Debian maintainer of metastore, though, as I am not sure if being upstream maintainer and distro package maintainer at the same time is a good thing. Beside updating metastore itself, its homepage (debian/control) and upstream download URL (debian/watch) should be changed as well: https://github.com/przemoc/metastore http://ftp.przemoc.net/pub/software/utils/metastore/ metastore-(.+)\.tar\.gz Tarballs are signed with my signing-only subkey: rsa4096/0xFA94ECC62EBFBFBA [expires: 2017-12-13] fingerprint = B97A 7939 E022 800C 9808 6A32 FA94 ECC6 2EBF BFBA (this one expires soon, so future versions will be signed with some new one, obviously). My signing-only subkey is associated with my main key: rsa4096/0x879C7468EAD49C84 fingerprint = BA46 8718 D588 669A 6633 98CE 879C 7468 EAD4 9C84 As you can easily check on GitHub, I cannot say I'm actively developing metastore right now, but I always treat bugs seriously, so at least it's not an abandoned project. I know that metastore userbase is extremely small, but if Debian provides such package, it should be as bug-free version as possible, which is not the case for a second year already. At this moment there are 3 unfixed and important xattr-related bugs in metastore available in Debian (and its derivatives). I hope you'll find time to bring metastore in Debian to proper state in upcoming weeks. Regards. -- Przemysław 'Przemoc' Pawełczyk http://przemoc.net/
