Re: Bug#1122194: ITS: mp3splt
Hi Sebastian,
Am Tue, Dec 09, 2025 at 02:21:40PM +0100 schrieb Sebastian Ramacher:
> > There are many packages in Debian with inactive upstreams that are still
> > maintained on the Debian side. Could you clarify what you expect in
> > practice under "take up upstream maintenance"?
> >
> > For instance, do you mean creating new releases, rewriting parts of the
> > codebase, or something else?
>
> mp3splt has three open CVEs from 2017 (!). Going through the issues
> reported at https://github.com/mp3splt/mp3splt/issues, there are even
> more reports on crashes (not even counting all the issues where the
> package produces broken output). Fixing/traiging those would reasonably
> fall under "taking over upstream maintenance".
OK, I got what you mean. Having long term unfixed CVEs is surely an
issue. I'm glad you filed #1122255 about this.
> So if you are not becoming upstream, then I think we and our users are
> better served by removing this package.
So I guess your advise changed from "orphan" to "remove" in this
specific case of mp3splt, right?
> A code base with open CVEs that
> is expected to handle potentially untrusted files and no upstream
> maintainer falls IMHO below the quality threshold that we can expect
> from Debian packages.
Fully ACK for this. So I'll retitle to RoQA and reassign this bug to
ftp.debian.org if I do not hear from any volunteer or the current
maintainer after 7 days.
Thank you for your insight.
BTW, finally I consider the ITS process a good thing to uncover such
issues. Just assume nobody had raised awareness about this problem
your valuable information might remain hidden.
Today I injected
https://salsa.debian.org/multimedia-team/audiotools
into Debian Multimedia team with 3 bugs fixed (two of these RC).
Do you think this is a valid candidate for Multimedia team
adoption? IMHO repositories of those package should be stored
on Salsa where Multimedia experts are typically around.
Kind regards and thanks again
Andreas.
--
https://fam-tille.de
Reply to: