Bug#993372: Bug#993378: RM: gtkpod -- RoQA; Upstream not active, orphaned & uses a vulnerable embedded library

[Adrian Bunk <bunk@debian.org>]

Control: tags 993378 moreinfo

On Tue, Aug 31, 2021 at 03:49:45PM +0100, Neil Williams wrote:
> Package: ftp.debian.org
> Severity: normal
> 
> gtkpod upstream has moved but has not had any activity for over 5 years.
> 
> When investigating the two CVEs against AtomicParsley, former maintainer Matteo F. Vescovi reached
> out to me to suggest removal of gtkpod.
> 
> The use case for this package seems to be declining / absent and 4 crash bugs are currently open.
> 
> Fixes for these bugs and CVEs seem unlikely to appear, it would seem best to remove gtkpod
> from Debian at this point.

As a user I am quite unhappy when a working package I am using is out of 
the void getting am RM bug.

With software for older hardware it is normal that upstream becomes 
inactive, and anything other than declining usage would be a surprise.

I am also dismayed at the CVEs. At first sight the "two CVEs" might be 
for the same bug, with the fix for the first CVE not fixing the bug.
Does manually backporting the one-character change from CVE-2021-37232 
fix everything, even without the larger CVE-2021-37231 refactoring?

> Thanks

cu
Adrian