Debian Bug report logs - #880592
RM: photofloat -- ROM; personal project, not collaborative

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: RM: photofloat -- ROM; personal project, not collaborative

Date: Thu, 02 Nov 2017 12:02:29 -0400

Package: ftp.debian.org
Severity: normal

Hi!

After struggling to get [fixes] merged upstream, I was finally told by
the upstream Photofloat maintainer that the patches from the community
would never be merged, after 3 years of almost complete radio silence.

 [fixes]: https://lists.zx2c4.com/pipermail/photofloat/2014-September/000054.html

The project was also [forked] in June 2017, as [photofloatenhanced],
which was [denounced] as insecure by the original maintainer, so it is
unclear what the future of the project is.

 [forked]: https://lists.zx2c4.com/pipermail/photofloat/2017-June/000173.html
 [photofloatenhanced]: https://github.com/paolobenve/photofloatenhanced
 [denounced]: https://lists.zx2c4.com/pipermail/photofloat/2017-August/000204.html

In a conversation with the author on the #wireguard channel (as
Donenfeld is also working on that VPN software), he explained the fork
had a directory transversal vulnerability and in general expressed
hostility at the fork and mocked the idea of packaging photofloat in
Debian. He explained he had no duty of merging in patches from
downstream in his project, which he described as a personal project
he simply shared with people. Donenfeld explicitly stated that people
should feel "entitled" to see their worked merge.

The Debian package features some of the patches mentioned upstream,
which means it's effectively become another fork. This gives us the
following options:

 1. maintain the current package as fork in Debian: lots of work, no
    fun.

 2. switch to the photofloatenhanced fork: may have security issues
    and uncertain future.

 3. completely remove the patches and only use the upstream code: may
    be difficult to repackage, features (like video) missing.

 4. try again to merge our patches upstream - they need to be rebased
    and there may be a slight chance to change Donenfeld's mind:
    frustrating work that may just fail.

 5. remove photofloat from Debian: minimal work, future-proof, but we
    abandon possible users

[Popcon] tells us the install count spiked to around 25 when it was
first introduced in 2013 and slowly rose to around 40 in 2015 and
seems to have leveled and may be declining.

 [Popcon]: https://qa.debian.org/popcon.php?package=photofloat

Considering I do not really want to spend any further energy on this
frustrating adventure and I doubt anyone will pick this up if I orphan
it, please remove photofloat from Debian.

Message #10 received at 880592@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>

To: 880592@bugs.debian.org

Subject: Re: RM: photofloat -- ROM; personal project, not collaborative

Date: Thu, 02 Nov 2017 12:29:59 -0400

Oh, and I forgot to mention... There's an equivalent software being
packaged for Debian called `sigal`:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879239

It's a more "normal" package (e.g. it's on pip) and has all the features
of photofloat, and more...

I'll probably be switching to sigal and work on packaging it instead of
photofloat in the future.

A.
-- 
Pour marcher au pas d'une musique militaire, il n'y a pas besoin de
cerveau, une moelle épinière suffit.
                        - Albert Einstein

Message #15 received at 880592-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 880592-close@bugs.debian.org

Cc: photofloat@packages.debian.org, photofloat@packages.qa.debian.org

Subject: Bug#880592: Removed package(s) from unstable

Date: Mon, 11 Dec 2017 18:01:13 +0000

We believe that the bug you reported is now fixed; the following
package(s) have been removed from unstable:

photofloat | 0~20120917+dfsg-3 | source, amd64, arm64, armel, armhf, hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mips64el, mipsel, powerpc, ppc64el, s390x

------------------- Reason -------------------
ROM; personal project, not collaborative
----------------------------------------------

Note that the package(s) have simply been removed from the tag
database and may (or may not) still be in the pool; this is not a bug.
The package(s) will be physically removed automatically when no suite
references them (and in the case of source, when no binary references
it).  Please also remember that the changes have been done on the
master archive and will not propagate to any mirrors until the next
dinstall run at the earliest.

Packages are usually not removed from testing by hand. Testing tracks
unstable and will automatically remove packages which were removed
from unstable when removing them from testing causes no dependency
problems. The release team can force a removal from testing if it is
really needed, please contact them if this should be the case.

We try to close bugs which have been reported against this package
automatically. But please check all old bugs, if they were closed
correctly or should have been re-assigned to another package.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880592@bugs.debian.org.

The full log for this bug can be viewed at https://bugs.debian.org/880592

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

Send a report that this bug log contains spam.