Hi Sebastian, Am Tue, Dec 09, 2025 at 02:21:40PM +0100 schrieb Sebastian Ramacher: > > There are many packages in Debian with inactive upstreams that are still > > maintained on the Debian side. Could you clarify what you expect in > > practice under "take up upstream maintenance"? > > > > For instance, do you mean creating new releases, rewriting parts of the > > codebase, or something else? > > mp3splt has three open CVEs from 2017 (!). Going through the issues > reported at https://github.com/mp3splt/mp3splt/issues, there are even > more reports on crashes (not even counting all the issues where the > package produces broken output). Fixing/traiging those would reasonably > fall under "taking over upstream maintenance".
OK, I got what you mean. Having long term unfixed CVEs is surely an issue. I'm glad you filed #1122255 about this. > So if you are not becoming upstream, then I think we and our users are > better served by removing this package. So I guess your advise changed from "orphan" to "remove" in this specific case of mp3splt, right? > A code base with open CVEs that > is expected to handle potentially untrusted files and no upstream > maintainer falls IMHO below the quality threshold that we can expect > from Debian packages. Fully ACK for this. So I'll retitle to RoQA and reassign this bug to ftp.debian.org if I do not hear from any volunteer or the current maintainer after 7 days. Thank you for your insight. BTW, finally I consider the ITS process a good thing to uncover such issues. Just assume nobody had raised awareness about this problem your valuable information might remain hidden. Today I injected https://salsa.debian.org/multimedia-team/audiotools into Debian Multimedia team with 3 bugs fixed (two of these RC). Do you think this is a valid candidate for Multimedia team adoption? IMHO repositories of those package should be stored on Salsa where Multimedia experts are typically around. Kind regards and thanks again Andreas. -- https://fam-tille.de
