Re: RFS: lesstif2

To: debian-mentors@lists.debian.org, sho@debian.org
Subject: Re: RFS: lesstif2
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Mon, 8 Aug 2011 20:36:40 -0400
Message-id: <[🔎] 20110808203640.4aa2e79c.michael.s.gilbert@gmail.com>
In-reply-to: <[🔎] 4E40397F.8090303@climbing.nl>
References: <[🔎] 20110808003320.710df0f1058ebb2b99a73c98@gmail.com> <[🔎] 4E40397F.8090303@climbing.nl>

On Mon, 08 Aug 2011 21:31:11 +0200 Paul Gevers wrote:
> Have you investigated the changes made by upstream lesstif in the
> embedded code and verified that they are not necessary? 

Hi,

On the surface, the diff between the embeded library in lesstif and
the standalone libxpm seem rather large.  However, if you dig into it,
you'll notice that 95% of the diff involves just a restyling of
function calls and removal of old hacks needed to support xfree86.

On top of that, there are a few spelling corrections, and a couple
cases of refactoring/improving the code in the standalone version.  

> As stated in bug
> 575750 [1], which you properly close, the security team knows about this
> copy and agreed that this one is not a big problem.

So there haven't been security issues disclosed in that code for a
while, but that doesn't necessarily mean something won't be found
in the future.  I think Florian's statement is very astute (he
recognizes that there were security issues in that code before it
was split off from lesstif) vice Moritz's comment referenced.  Plus
debian policy says embedded code copies are to be avoided.  This is
for various other good reasons as well, such as more efficient memory
usage, smaller libs, non-duplication, avoiding code going stale, etc.

> Further, I don't believe sponsors find it appropriate when you set the
> DM-upload-allowed flag without discussing that first and without
> mentioning that in your request.

OK, I wasn't trying to hide anything.  That's certainly clearly stated
in the changelog, and I rather despise duplication, so I chose not to
repeat myself in the email.  I elected to set DM-upload-allowed since 
the package looked like it needed some more attention, and I'm willing 
to give it that, but if that's overstepping some percieved bounds, I'll
remove it.

> I cannot upload your package as I am no DD and the DM-upload-allowed
> flag is not yet set on this package ;).

OK, that's why I started this discussion on mentors ;)  I'm hoping a
DD will find this work a useful improvement worth uploading to users.

Best wishes,
Mike

Reply to:

Follow-Ups:
- Re: RFS: lesstif2
  - From: Paul Gevers <paul@climbing.nl>

References:
- RFS: lesstif2
  - From: Michael Gilbert <michael.s.gilbert@gmail.com>
- Re: RFS: lesstif2
  - From: Paul Gevers <paul@climbing.nl>

Prev by Date: Re: RFS: obexpushd (adopted two uploads ago)
Next by Date: Re: RFS: Sitplus -- Free software framework for ludic-therapeutic activities
Previous by thread: Re: RFS: lesstif2
Next by thread: Re: RFS: lesstif2
Index(es):
- Date
- Thread