today I was contacted by madkiss on ICQ, and we resolved our issues. I
improved the (upstream) .deb packaging according to his suggestions, and in
return, removed the Debian blurb from the code, and uploaded it as the
current CVS snapshot. madkiss, since he doesn't use mICQ at all, agreed to
orphan the package if someone else is willing to adopt it, or otherwise to
cooperate with the two volunteers from the list to audit the code, if this
is still deemed necessary.
I hope this ends the flame fest on this list.
However, please allow me some final comments on topics touched in the
First, some people were calling the code changes I made a trojan, a poison
pill, or even a DoS attack. I'm not the first to note that this is simply
not true. It doesn't do anything else than printing a message and exiting.
It doesn't send your mail to me, it doesn't crash your computer, it doesn't
keep you from using ICQ. It's not more of an DoS than the korganizer
package, which is currently uninstallable. Heck, it doesn't even keep you
from using mICQ, as it told you where to get binaries (okay, i386 only), and
you could always get the sources from micq.org and build your own package.
If you want a fruitfull discussion, then coming down to the facts is a
necessity, and those facts don't include trojan, poison pill nor DoS. In
fact, I only added dead code. It was you who #ifdef'd it in - not knowingly,
but anyway. So much about it being Debian specific - it isn't. It broke if
you munged it, i.e. if _you_ broke it. The binaries on mICQ were compiled
from pristine sources, and they do run fine on Debian. So you can see as
well that it wasn't targeted at Debian users, but at it's maintainer.
Second, some people claim that I hurt the reputation of the Debian project.
That may or may not be true. What it definately did was showing a problem in
the process. Anyway, there is more than one side of reputation to look at
here. There's also the reputation of mICQ at stake. Does Debian improve the
reputation of mICQ by shipping an old version of mICQ? Does Debian improve
the reputation of mICQ by shipping a version with an extremely annyoing bug
that could trivially be fixed, and refusing to fix it several times? Does
Debian improve my reputation as an OSS software author by removing my name
from the copyright file? Does Debian improve its own reputation by shipping
a version of mICQ that because of the last point isn't even legal to
distribute, though Debian is so extremely retinent about free vs non-free?
Doesn't Debian try to destroy my reputation by accusing me of things I
didn't do? Think about it. And think about the update procedures in stable.
Third, I do take offense of being called a cracker. Manoj, this simply
crosses the border of slander. I did not break into your computer system. I
did not axe my way to your hard disc. I did not make your monitor explode.
Your Bush-uesque style of repeating it again and again endlessly doesn't
make it more true, and your try to make me look like a criminal is actually
much more that. You sound like a spoiled child who was denied his favourite
toy. Or his favourite candy. Which brings me back on topic, namely the
stupid candy analogies. They're all wrong in one point: to assume I took
something from someone illegally. I didn't. The correct analogy is: I was
giving out free cookies (ie mICQ), and some spoiled child (Debian/madkiss)
peed on them and passing them on as mine. So the next time he wanted
cookies, I gave him cookies, that, when peed on (when EXTRAVERSION removed),
eventually (time(NOW+3weeks)) sprang open, telling (displaying a message and
exiting) the eaters where to get the real cookies. That's just fair enough.
Which brings us to the topic of what I did and what not. People say I didn't
do everything possible to resolve the issue. That may be true. However, I
did do a lot things. There were several fruitless discussions with him, not
all of them recorded in the BTS. There were, finally, BTS entries for stuff
that mattered at that time. And, actually, one of those messages to the BTS
even had a CC to Joey. No, I didn't write a message to him, but he got (and
ignored) a bunch of my complaints about the package. See the pointers in one
of the previous mails I sent (if even the participants of that thread would
at least read the mails of those most related to the topic...). Since there
was no usefull response from the maintainer, I thought it would be the best
to package it myself, even though I considered it the second best way as I
wanted to have a program, not wasting my time packaging it. There were a few
more reasons for it, but they were minor. Unfortunately, I spent too much
time on mICQ and less on this application, so it was somewhat stalled, and I
was struggling finishing everything up for the release. Well. I could have
sent a message to debian-devel, that's true. Would anyone have listened to
an unknown wannabe developer on it? During Christmas? Do you think so? It
may be so, but it didn't sound like it would fix everything soon to me, and
I was about to release the stuff. So this sounded like the only way
promising a fast fix. And: I went a long way. Somewhere is just the border
for what to expect to happen. If you think it was just childish, then you're
simply not thinking far enough. Though I do admit having some fun with it.
Some were complaining it would be worse because it was obfuscated - that's
nonsense simply because it couldn't have worked otherwise. It may not have
been the nicest way, but it was effective. Some maintainer needed a lesson
to start listening, and he got it. It unfortunately was required.
So. No that's been cleared up. Leaves the trust issue. Some people say I
lost all trust for what I did. Well. Trust has two sides: the trust to
receive what you seem to get, and the trust that what you give is treated
well. In this case, the latter was broken. It wasn't treated well. My trust
was broken, I was slapped at again and again. Now _you_ complain that _I_
broke your trust? That I should lose it forever? Then, what trust do _you_
expect to have? Well, I don't care whether you need to audit the code now.
Feel free to do so if you must, it's your waste of time. It will be as
usefull as the "rm -rf /" accusation was realistic.
For the DD application - yes, Jörg removed me. That was definately
premature, in particular since his mail reveals no understanding of the
issue. On the other hand, I don't care - the issue with madkiss is now
resolved, so there's no need anymore for me to package it. It means no m68k
buildd again, but that's offtopic here.
In the end of the day, I want to thank in particular Anthony Towns, Remi
VANICAT for intelligent postings to the thread. No thanks for their hate
tirade go to BRL, Steve Langasek and Manoj Srivastava. Seems in Debian
nothing gets done without a lot of dirty laundry.
Have a nice day.
100 DM = 51 € 13 ¢.
100 € = 195 DM 58 pf.