On Wed, Jun 18, 2008 at 10:29:17AM +0100, Neil McGovern wrote: > Neither, it's the RC policy which carries more weight than a RG: > http://release.debian.org/lenny/rc_policy.txt > > 5a) Packages in the archive must not be so buggy or out of date that we > refuse to support them. > > The security team has confirmed multiple times that this is no longer > supportable. Your phrase "no longer" confirms that there is a fundamental misunderstanding in this point. The package 'mplayer' is not 'so buggy', it has 40 bugs, and that is average. The only RC bug that 'mplayer' has is 395252. This bug says "mplayer requires too much security maintainance work due to embedded ffmpeg copy". But this "too much security work" was claimed even before etch was released, and is a claim that had and still has no supporting facts. Indeed 'mplayer' had 3 security updates so far in Etch. No one of those security updates was fixed by patching code in the ffmpeg library. So this whole bug 395252 is based on an apriori assumption; moreover this assumption was proved wrong by facts. Summarizing, you are deciding that mplayer is too buggy to be supported because of a bug that claims that same argument. Don't you see how circular this whole reasoning is? ---- Not to mention that, for reasons behond my comprehension, mplayer is the only package targetted by this reasoning. 1) As I said in the other email, the policy 3.8.0 now contains a paragraph [14.3] against embedded copies, that is though waived for Lenny. For some reasons, you do not accept that mplayer be given the same treatment. 2) Another point is that http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0 lists many packages which ship embedded copies. One example is mozilla/iceweasel/iceape. Iceweasel had 9 security bugs in Etch. Iceweasel has ~500 bugs (!!). So iceweasel should be kept out of Lenny, since it contains embedded copies of code and is quite buggy. But no one is ever posting this RC bug. Why? Beats me. a. -- Andrea Mennucc "The EULA sounds like it was written by a team of lawyers who want to tell me what I can't do, and the GPL sounds like it was written by a human being who wants me to know what I can do." Anonymous, http://www.securityfocus.com/columnists/420
Attachment:
signature.asc
Description: Digital signature