removal of bitchx

[Stephan Hermann]

Hi,


Am Thu, 15 Nov 2007 14:35:58 +0100
schrieb Reinhard Tartler <siretart at ubuntu.com>:

> Stephan Hermann <sh at sourcecode.de> writes:
> 
> > Dear Colleagues,
> >
> > I need some advice:
> >
> > there are least 2 CVEs for bitchx (source ircii-pana) but upstream
> > seems to be dead.
> > I would like to request a removal of this package.
> >
> > Why?
> >
> > First, we have (as console replacement) irssi in our archives,
> > which is quite active, secondly for the X fanatics we have several
> > other irc clients in our archives.
> > Third, dead upstream is not ok for a package in debian and ubuntu.
> >
> >
> > Some random thoughts, or should I file a removal request via LP and
> > DBTS?
> 
> AFAIUI, we have the policy not remove packages from universe just
> because nobody cares for this. This topic and similar questions have
> been raised before at least by Lucas and me, but the answer was that
> we in general don't remove broken packages.

Well, the package itself is not broken (ok, for hardy it's just not
secure and righ now it ftbfs but that's something different).
 
> I'm not too happy with that course, but I don't have a really strong
> opinion on this. If someone in the future wants to care for the
> package, he can just start to work on it.

I filed a removal request on LP and for debian. It's attached to the
LP bug and nion (Nico Golde) just fixed a bug for me with the DBTS ;)

He agrees (he wrote at least one patch for bitchx) with me, that a
removal is the best we can do security wise.

> 
> OTOH, we do remove packages from universe if they are removed from
> debian. So the current process would be to get it removed from debian
> first and then from ubuntu. And I'm sure we can do case-by-case
> decisions as well. I'm just saying that we don't have a real process
> for this.

That's what we try.

> 
> In any case, filing a LP Bug where the status of the case of bitchx
> can be tracked is IMO a good idea!
> 

Done.

Regards,

\sh