Hi On 2025-12-09 15:57:09 +0100, Andreas Tille wrote: > Hi Sebastian, > > Am Tue, Dec 09, 2025 at 02:21:40PM +0100 schrieb Sebastian Ramacher: > > > There are many packages in Debian with inactive upstreams that are still > > > maintained on the Debian side. Could you clarify what you expect in > > > practice under "take up upstream maintenance"? > > > > > > For instance, do you mean creating new releases, rewriting parts of the > > > codebase, or something else? > > > > mp3splt has three open CVEs from 2017 (!). Going through the issues > > reported at https://github.com/mp3splt/mp3splt/issues, there are even > > more reports on crashes (not even counting all the issues where the > > package produces broken output). Fixing/traiging those would reasonably > > fall under "taking over upstream maintenance". > > OK, I got what you mean. Having long term unfixed CVEs is surely an > issue. I'm glad you filed #1122255 about this. > > > So if you are not becoming upstream, then I think we and our users are > > better served by removing this package. > > So I guess your advise changed from "orphan" to "remove" in this > specific case of mp3splt, right?
Sounds like the best option currently. > > A code base with open CVEs that > > is expected to handle potentially untrusted files and no upstream > > maintainer falls IMHO below the quality threshold that we can expect > > from Debian packages. > > Fully ACK for this. So I'll retitle to RoQA and reassign this bug to > ftp.debian.org if I do not hear from any volunteer or the current > maintainer after 7 days. > > Thank you for your insight. > > BTW, finally I consider the ITS process a good thing to uncover such > issues. Just assume nobody had raised awareness about this problem > your valuable information might remain hidden. Is it, though? With the ITS process I would expect that the person starting the process is willing to take care of the package and is aware of the state of the package. The analysis of whether the package is still usable or suitable for Debian should be done before that. > Today I injected > https://salsa.debian.org/multimedia-team/audiotools > into Debian Multimedia team with 3 bugs fixed (two of these RC). > Do you think this is a valid candidate for Multimedia team > adoption? IMHO repositories of those package should be stored > on Salsa where Multimedia experts are typically around. No, I don't. The package has other unfiled RC bugs (broken with our version of urwid at least). I don't see this fixed in your import. This raises the question: have you tested that the package still works as intended? Cheers -- Sebastian Ramacher
