Bug#890756: RFS: youtube-dl/2018.01.27/1.1 [NMU] -- downloader of videos from YouTube and other sites
Control: tag 890756 + moreinfo
Control: tag 890119 + moreinfo
On Feb 18 2018, Nicolas Braud-Santoni wrote:
> Package: sponsorship-requests
> Severity: normal
> Control: block 890119 by -1
> Control: tag 890119 + pending
> Control: tag -1 + security
>
> Hi,
Hi, Nicholas.
There's no need to rush with any upload, as I am going to take care of that
myself.
BTW, we had, essentially, a whole week of extended holidays here in Brazil
during this week (Carnival), which was the reason why I had not replied
earlier (poor connectivity etc.).
> I'm looking for a sponsor for this NMU against youtube-dl.
I am not a security expert (I only have a day-to-day, working knowledge of
security), so I don't really know enough to be able to disagree with your
assessment of the situation, but the upstream maintainers have a reasonably
good (and are famed) for being security-minded and/or crypto experts.
> It removes youtube-dl's built-in autoupdate mechanism, whose security
> is unclear and which is defunct on Debian anyhow (see #890119 for details).
I am OK (not super happy, but OK) with the removal of the --upgrade option
of youtube-dl, *BUT* I think that removing it completely and giving the
users that try to invoke the command with that option something like "option
not recognized" is a poor user-experience.
We should, *IF* we remove the option, substitute it with an output saying
that in Debian (and other derived distributions) we have disabled that
option. Not having this will make users confused, since it would deviate
from the behavior of upstream.
Speaking as a user (not as the maintainer) of youtube-dl, that's something
that I would expect from *any* Debian package: document conspicuously the
differences between the package that we have in Debian and what upstream
offers.
Ideally, we should propose something better for upstream, even if we don't
end up using it in Debian itself.
> @Rogério: This exactly adds the patch I sent to the packaging repository in
> https://github.com/rbrito/pkg-youtube-dl/pull/2
> However, since the state of the packaging repository is inconsistent
> with what is in the Debian archive, you will need to push to the
> repository, merge my PR, and then manually grab the updated changelog.
Yes, I have not yet taken the time to migrate things to salsa.debian.org. I
will do as soon as I get familiar with the needed changes.
I will post the comments above as a review on your pull request...
> The updated version of the package is available on mentors.d.n :
>
> https://mentors.debian.net/package/youtube-dl
> https://mentors.debian.net/debian/pool/main/y/youtube-dl/youtube-dl_2018.01.27-1.1.dsc
>
>
> Note that there are 2 minor issues in the package that I did not change:
> - The package still uses dh 10
> I have no idea whether the maintainer wants to switch to dh 11
That's on purpose/intentional, to ease backporting for people that don't
have a debhelper so recent.
Actually, the main functionality of the resulting program will not change
that much with a newer debhelper, which means that the change will be only a
formal change, AFAICS...
> - groff throws a warning on the youtube-dl(1) manpage (lintian tag
> manpage-has-errors-from-man), but I believe this is out of scope for this NMU.
This problem has been communicated upstream and we reached the conclusion
that it is a problem with pandoc...
All that being said, I will upload a new version of youtube-dl during the
next few days...
Regards,
Rogério Brito.
--
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br
Reply to: