Quoting Martin Rampersad via Pkg-voip-maintainers (2024-12-13 22:30:43) > Regarding how to resolve this bug, see #1030669 which has the same demand > and was closed by a promise from Marco d'Itri. If you don't look him up or > already know who he is, he says "I manage about 150 instances of Varnish, > so let's just assume that I have the experience needed and some motivation." > Moritz replies "Noted, thanks". > > It's only when you research the individual that you find he has been a > Debian Developer for 27 years, so perhaps Marco's casual attitude > is an inside joke. > > If you follow the work done, you will see that the result is 3 commits > over the last 18 months (varnish:debian/7.1.1-1.1) and two CVEs marked as > "ignored, too minor" in the varnish package tracker.
Thanks for hte research. Yes, I know Marco. I think I haven't met him in person, but not sure - but he is has a strongly opinionated and confident voice on mailing lists. The concern raised by the security team is real: Marco may easily be able to manage the level of security bugs expected for the 150 packages that he maintains, and I will also argue generally that I am relatively fine handling the 700+ packages I am involved in. But among those, asterisk is one of very few packages that stick out as a) having a large amount of CVEs, and b) more likely than not deviating upstream so much over the course of its lifetime in Debian, that patches cherry-picked upstream do not apply. In short, I genuinely cannot handle security issues on my own. Other similarly CVE-ridden packages, like Ghostscript, have been a deep dependency, so that even if others in Debian did not care much for the package itself, when I gave up on fixing CVEs others chimed in and helped out anyway, but asterisk is a fringe package so it is easier for those not caring about the functionality of the package to back out and let it rot. Asterisk needs more maintainers, or it will not survive in Debian. > I accept that I'm not yet qualified to make this promise for asterisk. I'll > level up my Debian participation and try again later. Why later? Whay not now? You are aware that there might not be a later, right? You are aware, that if you reappear close to the next freeze, it may again be too close to a deadline? Regardless, thanks for your interest in asterisk - however it materialises, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ * Sponsorship: https://ko-fi.com/drjones [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
