[Bug 1936970] Re: [MIR] libnet-snmp-perl as a dependency of amavisd-new

Roland Rosenfeld 1936970 at bugs.launchpad.net
Wed Jul 21 13:14:54 UTC 2021 

I fear that you mixed up two packages here:

libnet-snmp-perl 6.0.1 with the Perl module Net::SNMP from
https://metacpan.org/dist/Net-SNMP (unchanged upstream since 2010).

and

libsnmp-perl 5.9(.1) with the Perl modules SNMP and NetSNMP::* from
https://net-snmp.sourceforge.io/ and http://github.com/net-snmp/net-
snmp/

I don't know which of them is used by amavisd-ng, but libnet-snmp-perl
6.0.1 isn't updated upstream since 2010, but is actively maintained by
the Debian Perl team (including me).

Greetings
Roland

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libnet-snmp-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1936970

Title:
  [MIR] libnet-snmp-perl as a dependency of amavisd-new

Status in libnet-snmp-perl package in Ubuntu:
  New

Bug description:
  [Summary]
  =========

  Please promote bin:libnet-snmp-perl to main. It's the only binary
  package built by src:libnet-snmp-perl. The package is a "new"
  dependency of bin:amavisd-new, which is in main. I say "new" in quotes
  because is was already a dependency, but d/control missed it up to
  version 1:2.11.1-5, see [0].

  [Rationale]
  ===========

  libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
  The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
  has been the case since version 2.6.4. Note that Precise packages version
  2.6.5 already.

  The missing dependency is not immediately visible at such as it only
  causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
  the amavisd-new package and therefore is in main.

  [Availability]
  ==============

  Upstream: the project exists as NetSNMP since year 2000, but stems
  from the cmu-snmp library which already existed in 1995. NetSNMP still
  actively maintained as the git history [1] shows.

  Debian/Ubuntu: libnet-snmp-perl was first packaged in Debian in 2000.

  It is extremely unlikely that the library will be abandoned or deprecated
  in the foreseeable future.

  The package is a sync from Debian across all the supported Ubuntu
  releases (and also across the >=Precise unsupported ones).

  [Security]
  ==========

  The package is a SNMP client library. It provides no daemons or services
  in general, does not open ports, does not require special privileges to
  operate, and does not install setuid binaries.

  I see no need for looping in the security team.

  [Quality assurance]
  ===================

  Upstream has a test suite which is exercised during the .deb package
  build.

  Debian has only one bug open against the package, which IIUC is about
  how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
  forwarded upstream, and IMO shouldn't be considered a blocker for main
  inclusion.

  Ubuntu has no bugs filed against the package.

  Upstream tracks issues on GitHub, development is active.

  [Dependencies]

  Depends only on perl:any, so we're good here.

  [Standards compliance]

  The package is in good shape, it's well maintained and follows
  standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:

  X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature

  There are however some overrides. For the source package there is:

  # Upstream does not provide a repository, so we cannot mention it in metadata
  libnet-snmp-perl source: upstream-metadata-missing-repository

  which is not true anymore. I filed a minor bug in Debian for
  this [3] as it was under my fingers already, but it's not worth
  a delta and it's not a blocker for anything.

  The binary package has two (related) overrides:

  libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
  libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey

  Lintian is right, but apparently the Debian maintainers decided this
  is a wontfix. The fix would consist in splitting out a "-tools"
  package out of the "lib" one, I can see it's probably not worth it.

  (FWIW I wouldn't have added the override as the lintian is right.)

  [Maintenance]
  =============

  The Server Team will maintain the package. The maintenance effort is
  expected to be very low.

  [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
  [1] https://github.com/net-snmp/net-snmp
  [2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
  [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991350

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnet-snmp-perl/+bug/1936970/+subscriptions

More information about the foundations-bugs mailing list