[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Reporting unmaintained packages

On Tue 19 Jan 2016 at 16:27:36 +0100, Francois Gouget wrote:

> On Mon, 18 Jan 2016, Francesco Ariis wrote:
> 
> > On Mon, Jan 18, 2016 at 12:36:34PM +0100, Francois Gouget wrote:
> > >> The clamav-unofficial-sigs package has quite important bugs that cause 
> > >> it to fail to retrieve the SecuriteInfo virus signatures and send cron 
> > >> spam every 4 hours.
> > >> 
> > >> [..]
> > >> 
> > >> So what's the proper way to report this issue?
> > 
> > Hello Francois,
> >     I assume the bug you are talking about is #783228 [1].
> > clamav-unofficial-sigs is not maintained by a single person, but by
> > ClamAV Team.
> 
> Actually I think the following three bugs are duplicates of each other. 
> At least now if not initially (various SecuriteInfo databases went 
> offline progressively so symptoms changed over time).
> 
> * 783228: clamav-unofficial-sigs: securiteinfo databases not available any more
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783228
> 
> * 784832: clamav-unofficial-sigs: Multiple error message at each execution
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=784832
> 
> * 774763: clamav-unofficial-sigs: Updating the databases timeouts on a regular basis
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774763
>   (the timeouts are now 404s)
> 
> Here is the activity for these bugs:
> 
> Bug    | Reported   | User-provided workaround | ClamAV Team reply
> 774763 | 2015/01/07 | 2015/04/24               | none
> 783228 | 2015/04/24 | 2015/04/24               | none
> 784832 | 2015/05/09 | 2016/01/18               | none
> 
> So the the issues were reported over a year ago, workarounds provided 
> over 8 months ago, but the ClamAV team is nowhere to be found, hasn't 
> asked for more details, hasn't closed duplicate bugs, hasn't made any 
> new release of this package.

A small point: duplicate bugs are merged, not closed. You could do it if                                                
you are confident in your judgement. A more pertinent point is whether                                                  
you should be concerned yet about a lack of the response.  There could                                                  
be a perfectly good reason for it. A year can be but the blink of an                                                    
eyelid in Debian's calendar. :)
 
> So I did send more data for bug 774763 and 784832 but I'm mostly just 
> repeating information that's already available on bug 783228. So given 
> that information was available 9 months ago I'm not too hopeful.
> 
> I could also send a patch but is it really necessary when the 'fix' is 
> as simple as setting si_dbs="" in 00-clamav-unofficial-sigs.conf as was 
> described in bug 783228 (again, 9 months ago)?
> 
> The right fix might be to upgrade to the newer upstream version 
> available from GitHub as reported in bug 785130, 9 months ago (that bug 
> got no reply at all).
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785130
> 
> But then is it really the place of a user to provide a brand new package 
> for the maintainer to just push out? And I'm not willing to take over 
> maintainership because a) I'm not a Debian developer and b) I know I 
> won't have time to keep doing it.

You've done what you can do. The trick is not to get too disheartened.
Reply to: