Bug#669643: ITP: bugzilla4 -- web-based bug tracking system
On Tue, May 15, 2012 at 09:48:55AM +0300, Faidon Liambotis wrote:
> On Thu, May 03, 2012 at 10:47:31AM -0400, Mark A. Hershberger wrote:
> > > Have you checked why bugzilla3 used to be in Debian, and got removed
> > > (see #638705).
> >
> > Thanks for the info. I was not aware of that. I did wonder why it
> > wasn't being packaged.
> >
> > It looks like the main thing to be addressed is finding a
> > co-maintainer.
>
> As discussed in private with Mark (he's a coworker), I will serve as his
> comaintainer & sponsor for this package.
>
> Moreover, I'm adding the security team to the loop, since bugzilla3 was
> removed per their request.
>
> We know that bugzilla has had a troubled history in Debian, so we'll be
> careful. One area in particular that was problematic was a strained
> relationship with upstream (aiui, the result of having an unmaintained
> vulnerable package in Debian for some time); Mark has already been in
> some contact with them.
>
> If you still have reservations, feel free to raise them — before we
> upload this (soonish) would work better :)
As the person, who requested the removal of the old package: I have no
objections against Bugzilla per se. The upstream security engineering
is done in a very professional manner.
The old package was removed because
- the old package was practically unmaintained (only activity every year or so). If
there's now a full maintainer team, all the better.
- the old packaging was horrible (multiple tarballs mixed in a weird way and
instead of patches everything was modified by a series of shell scripts
run during build) and close to impossible to NMU in a sane way. If you
start bugzilla4 packaging from scratch that should not be a problem.
Cheers,
Moritz
Reply to: