Re: Reporting unmaintained packages
On Mon, 18 Jan 2016, Francesco Ariis wrote:
> On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote:
> >> The clamav-unofficial-sigs package has quite important bugs that cause
> >> it to fail to retrieve the SecuriteInfo virus signatures and send cron
> >> spam every 4 hours.
> >>
> >> [..]
> >>
> >> So what's the proper way to report this issue?
>
> Hello Francois,
> I assume the bug you are talking about is #783228 [1].
> clamav-unofficial-sigs is not maintained by a single person, but by
> ClamAV Team.
Actually I think the following three bugs are duplicates of each other.
At least now if not initially (various SecuriteInfo databases went
offline progressively so symptoms changed over time).
* 783228: clamav-unofficial-sigs: securiteinfo databases not available any more
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
* 784832: clamav-unofficial-sigs: Multiple error message at each execution
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784832
* 774763: clamav-unofficial-sigs: Updating the databases timeouts on a regular basis
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774763
(the timeouts are now 404s)
Here is the activity for these bugs:
Bug | Reported | User-provided workaround | ClamAV Team reply
774763 | 2015/01/07 | 2015/04/24 | none
783228 | 2015/04/24 | 2015/04/24 | none
784832 | 2015/05/09 | 2016/01/18 | none
So the the issues were reported over a year ago, workarounds provided
over 8 months ago, but the ClamAV team is nowhere to be found, hasn't
asked for more details, hasn't closed duplicate bugs, hasn't made any
new release of this package.
So I did send more data for bug 774763 and 784832 but I'm mostly just
repeating information that's already available on bug 783228. So given
that information was available 9 months ago I'm not too hopeful.
I could also send a patch but is it really necessary when the 'fix' is
as simple as setting si_dbs="" in 00-clamav-unofficial-sigs.conf as was
described in bug 783228 (again, 9 months ago)?
The right fix might be to upgrade to the newer upstream version
available from GitHub as reported in bug 785130, 9 months ago (that bug
got no reply at all).
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130
But then is it really the place of a user to provide a brand new package
for the maintainer to just push out? And I'm not willing to take over
maintainership because a) I'm not a Debian developer and b) I know I
won't have time to keep doing it.
--
Francois Gouget <fgouget@free.fr> http://fgouget.free.fr/
La terre est une bêta...
Reply to: