Debian Bug report logs - #891982
xchat: Intent to file removal bug

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@debian.org>

To: submit <submit@bugs.debian.org>

Subject: xchat: Intent to file removal bug

Date: Sat, 3 Mar 2018 12:06:28 -0500

Source: xchat
Version: 2.8.8-13
Severity: serious

xchat was removed from Debian 2 years ago because
"dead upstream; active fork available" [1]

The situation has not changed since then. xchat has not had any
upstream releases since 2010.

Meanwhile, hexchat is under active development. The hexchat developer
has recently complained about Debian's re-inclusion of xchat [2]

Therefore, I intend to file a removal bug for xchat soon, but I am
filing this bug first.

Thanks,
Jeremy Bicha

[1] https://bugs.debian.org/811007
[2] https://tingping.github.io/2018/03/02/when-distros-get-it-wrong.html
and the 400+ comments at
https://www.reddit.com/r/linux/comments/81gij7/xchat_and_hexchat_when_distributions_get_it_wrong/

Message #10 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Alf Gaida <agaida@siduction.org>

To: 891982@bugs.debian.org

Subject: Re: xchat: Intent to file removal bug

Date: Sat, 3 Mar 2018 18:59:43 +0100

For gods sake, please go for it. Thank you very much

Cheers Alf

Message #15 received at 891982@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Debian Bug Tracking System <891982@bugs.debian.org>

Subject: Re: xchat: Intent to file removal bug

Date: Sun, 04 Mar 2018 16:14:38 +0100

Package: src:xchat
Followup-For: Bug #891982

Hi Jeremy!

Could you provide any references to bug reports which indicates
that there are problems with the xchat package which make it
unfit for release or violate against any of the points mentioned
in the Debian Policy?

Please note that we have other packages in Debian like xemacs21
or micropolis-activity whose upstream is long dead but where we
have compotent maintainers in Debian who are actively taking care
of this package.

I don't think a rant posted on reddit by the author of a fork
is justified enough to ask for a package to be removed from
the archive.

As long as there aren't any serious policy or security issues,
Debian usually doesn't impose any limitations on what packages
get maintained in the archive and which not.

Thanks,
Adrian

--
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Message #20 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Jeremy Bicha <jbicha@ubuntu.com>

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 891982@bugs.debian.org

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Sun, 4 Mar 2018 11:26:33 -0500

On Sun, Mar 4, 2018 at 10:14 AM, John Paul Adrian Glaubitz
<glaubitz@physik.fu-berlin.de> wrote:
> Could you provide any references to bug reports which indicates
> that there are problems with the xchat package which make it
> unfit for release or violate against any of the points mentioned
> in the Debian Policy?

1. "in the maintainer's opinion, makes the package unsuitable for release" [1]

2. "introduces a security hole on systems where you install the packages" [2]

3. Multiple copies of the same code base [3]

4. Although not specified in Debian Policy, I believe the Debian
Project generally does not wish to see "unmaintainable" software in
Debian, especially if there are maintainable alternatives.

5. I'm definitely nitpicking here, but the new Debian maintainer did
not completely follow the Developers Reference practice for
re-introducing a package by filing an ITP and CCing debian-devel. [4]
Therefore, in my opinion, the Debian project never collectively agreed
to xchat's reintroduction to Debian.

> I don't think a rant posted on reddit by the author of a fork
> is justified enough to ask for a package to be removed from
> the archive.

The author posted his opinion to his personal blog and did not
directly start the reddit discussion. Also, that author is the subject
matter expert here and I think we should give due deference to his
understanding of the security issues present in xchat for which he did
not seek CVE designations.

> As long as there aren't any serious policy or security issues,
> Debian usually doesn't impose any limitations on what packages
> get maintained in the archive and which not.

Yes, I'm well aware of your position since I've read the reddit discussion.

However, your characterization of Debian's practice is inaccurate. For
instance, I'm helping to remove hundreds of packages from Debian right
now. The packages often are maintained more or less in Debian but have
had no upstream development for years. [5]


References
--------------
[1] https://release.debian.org/buster/rc_policy.txt
Specifically, Sven Hoexter, as acting Maintainer, made this
determination in https://bugs.debian.org/811007

[2] https://release.debian.org/buster/rc_policy.txt

[3] Somewhat addressed in Debian Policy § 4.13 and its footnote

[4] § 5.9.6 and § 5.9.1
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#reintroducing-pkgs
Which also says "It may indicate that the best way forward is to
switch to some other piece of software instead of reintroducing the
package. "

[5] https://lists.debian.org/debian-devel/2018/02/msg00169.html

Thanks,
Jeremy Bicha

Message #25 received at 891982@bugs.debian.org (full text, mbox, reply):

From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

To: Jeremy Bicha <jbicha@ubuntu.com>

Cc: 891982@bugs.debian.org

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Sun, 4 Mar 2018 17:50:15 +0100

On 03/04/2018 05:26 PM, Jeremy Bicha wrote:
> 1. "in the maintainer's opinion, makes the package unsuitable for release" [1]

Didn't you say there is no longer an upstream maintainer?

Please note we have had similar cases with other packages where the maintainer
of a forked project or the original project was attacking the fork or vice
versa. This alone isn't an argument.

> 2. "introduces a security hole on systems where you install the packages" [2]

That's why I was specifically asking for a particular issue you are seeing
with the bug. Again, the maintainer of the fork ranting alone is not
a justification enough.

> 3. Multiple copies of the same code base [3]

There are so many other multiple copies of code in Debian (i.e. xemacs21)
that this single leaf package doesn't really make a difference.

> 4. Although not specified in Debian Policy, I believe the Debian
> Project generally does not wish to see "unmaintainable" software in
> Debian, especially if there are maintainable alternatives.

I don't see how this package is unmaintainable. Do you think that
Gianfranco is not up to the job to take care of a simple package like
xchat?

Are we now questioning the skills of each other in public?

> 5. I'm definitely nitpicking here, but the new Debian maintainer did
> not completely follow the Developers Reference practice for
> re-introducing a package by filing an ITP and CCing debian-devel. [4]
> Therefore, in my opinion, the Debian project never collectively agreed
> to xchat's reintroduction to Debian.

Yes, you are nitpicking. Because the Debian Project doesn't have to
give their consent to let a package in the archive. That's the job
of Debian's FTP masters.

>> I don't think a rant posted on reddit by the author of a fork
>> is justified enough to ask for a package to be removed from
>> the archive.
> 
> The author posted his opinion to his personal blog and did not
> directly start the reddit discussion. Also, that author is the subject
> matter expert here and I think we should give due deference to his
> understanding of the security issues present in xchat for which he did
> not seek CVE designations.

If he is an expert, why didn't he even bother posting a single valid
example where xchat is insecure and posing a risk to its users.

If there are valid vulnerabilities, it shouldn't a problem to list
them.

>> As long as there aren't any serious policy or security issues,
>> Debian usually doesn't impose any limitations on what packages
>> get maintained in the archive and which not.
> 
> Yes, I'm well aware of your position since I've read the reddit discussion.
> 
> However, your characterization of Debian's practice is inaccurate. For
> instance, I'm helping to remove hundreds of packages from Debian right
> now. The packages often are maintained more or less in Debian but have
> had no upstream development for years. [5]

Wasn't there recently a discussion on debian-devel that was started
that people were complaining about packages getting removed way too
quickly?

I really don't think that your reasoning is acceptable. None of the
the points you mentioned above list actual problems. Both you and
the maintainer of the fork fail to list any actual vulnerabilities.

And, to be honest, I would find it more constructive to take care
of packages like mozjs52 which have are far more important than
a leaf package like xchat yet they haven't seen any fixes and uploads
for months with bug reports remaining unanswered.

Thanks,
Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaubitz@debian.org
`. `'   Freie Universitaet Berlin - glaubitz@physik.fu-berlin.de
  `-    GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913

Message #30 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupre <anarcat@debian.org>

To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 891982@bugs.debian.org

Cc: Jeremy Bicha <jbicha@ubuntu.com>

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Sun, 4 Mar 2018 14:35:15 -0500

[Message part 1 (text/plain, inline)]

On Sun, Mar 04, 2018 at 05:50:15PM +0100, John Paul Adrian Glaubitz wrote:
> >> I don't think a rant posted on reddit by the author of a fork
> >> is justified enough to ask for a package to be removed from
> >> the archive.
> > 
> > The author posted his opinion to his personal blog and did not
> > directly start the reddit discussion. Also, that author is the subject
> > matter expert here and I think we should give due deference to his
> > understanding of the security issues present in xchat for which he did
> > not seek CVE designations.
> 
> If he is an expert, why didn't he even bother posting a single valid
> example where xchat is insecure and posing a risk to its users.
> 
> If there are valid vulnerabilities, it shouldn't a problem to list
> them.

So in response to this request, I have contacted TingPing regarding his
claims, to try and clarify which security issues he has found in XChat
during the maintenance of hexchat. He was kind enough to respond
with a few examples.

He pointed at 4 recent commits fixing remote crashes when connecting to
an untrusted IRC server:

https://github.com/hexchat/hexchat/commit/f4a592c4f0364d35068bca9f2634946750340356
https://github.com/hexchat/hexchat/commit/a3db4e577307742965f5ba75daf03146164bd211
https://github.com/hexchat/hexchat/commit/6e4fc09ce005db965523ef8930ea51ca429815a2
https://github.com/hexchat/hexchat/commit/f6333b592b0d574d68e96d04a09a6cae956ee6c3

Those have been discovered by fuzzing and are generally not possible to
trigger by other users but could be abused by a hostile server to
trigger a crash in Xchat. In general, he said that most issues were
"mostly" in that domain, but he doesn't exclude crashes triggered by
other users which would be more worrisome.

I hope this answers the demand of proving the claims of security issues
more clearly.
 
Have a nice day!

A.

[signature.asc (application/pgp-signature, inline)]

Message #35 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: Jeremy Bicha <jbicha@ubuntu.com>, "891982@bugs.debian.org" <891982@bugs.debian.org>

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Mon, 5 Mar 2018 09:04:12 +0000 (UTC)

control: severity -1 important
control: clone -1 -2
control: reassign -2 src:hexchat
control: retitle -2 hexchat: current upstream maintainer is fixing security bugs without disclosing them, making hexchat completely unsafe for stable releases

Hello,

(I'm cloning based on the fact that new upstream hexchat maintainer is not disclosing security bugs, see the last line of my answer)


(please note, as a *current* maintainer, I think this shouldn't be RC, unless somebody points out
*real* issues to the package.)
>1. "in the maintainer's opinion, makes the package unsuitable for release" [1]


this is a complete non-sense.
the Xchat that has been removed is really different from the one that is currently in testing, it
has been patched for all the outstanding security vulnerabilities, packaging has been redone mostly
from scratch, I fixed a lot of bugs, and added a lot of patches.

Sorry, but the previous maintainers filed an RM bug for a package that is completely different from
the actual one.

>2. "introduces a security hole on systems where you install the packages" [2]


pics or didn't happen, you are *all* speculating here.

>3. Multiple copies of the same code base [3]


I disagree even here, the fork is now a lot different from the original code, even cherry-picking patches
is becoming difficult right now, but the codebase of xchat is even smaller (I didn't check this claim).
>4. Although not specified in Debian Policy, I believe the Debian
>Project generally does not wish to see "unmaintainable" software in
>Debian, especially if there are maintainable alternatives.


Maintainable, unless you prove me wrong.
It had 6 uploads with patches in the last 6 months, I wouldn't say "unmaintainable".
(one was done by security team, using my patches to patch stable, so this has been even a good chance to fix older systems)

Please, point out real issues, not something "read over the internet".

>5. I'm definitely nitpicking here, but the new Debian maintainer did
>not completely follow the Developers Reference practice for
>re-introducing a package by filing an ITP and CCing debian-devel. [4]
>Therefore, in my opinion, the Debian project never collectively agreed
>to xchat's reintroduction to Debian.


to be honest, this is the real good issue over the whole discussion. I have been asking some friend DDs about this point,
and I don't really think we have a good policy for such cases, it would be nice to write one down, because I don't know
the policy applies here.
>The author posted his opinion to his personal blog and did not
>directly start the reddit discussion. Also, that author is the subject
>matter expert here and I think we should give due deference to his
>understanding of the security issues present in xchat for which he did
>not seek CVE designations.


he started the reddit discussion, after commenting on another thread, with a completely
unrelated topic [1]

[1] 
https://www.reddit.com/r/linux/comments/8158na/appimagehub_crowdsourced_central_appimage/?st=je9p019d&sh=5ecc7dd3

>Yes, I'm well aware of your position since I've read the reddit discussion.
>However, your characterization of Debian's practice is inaccurate. For
>instance, I'm helping to remove hundreds of packages from Debian right
>now. The packages often are maintained more or less in Debian but have

>had no upstream development for years. [5]

Ok, so what about integrating patches, fixing two more bugs and then releasing a new upstream tarball?
would that make you stop asking to remove maintained packages?

I don't think this can actually make things better, but meh, I really don't get how this
discussion can continue, based only on assumptions, and not facts.
(seriously, we have a lot of software, and I'm not contrary on removing old stuff, but *please*
point me issues, not speculations).

Right now this bug is non-sense.

BTW: people had more than "400 comments on reddit" about some well known init system, did you file a removal
bug for it too?

talking about something is not really.

and last thing:
if the hexchat maintainer, has fixed security bugs without disclosing them, this would make everybody running stable
unsecure by definition. Lets move the discussion also on hexchat then.

cheers,

Gianfranco

Message #44 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: "891982@bugs.debian.org" <891982@bugs.debian.org>

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Mon, 5 Mar 2018 09:08:44 +0000 (UTC)

Hello,
>He pointed at 4 recent commits fixing remote crashes when connecting to
>an untrusted IRC server:


oh well, I could point that connecting to unsecure websites, can hurt your browser too :)
Seriously, an irc client crashing when connecting to a new server, is not as an issue
as it might seem :)

I could even fix them, but we have a lot of mayem? bugs opened with researches
doing fuzzy tests on binaries in the archive... and they are even more valid than this one.

G.

Message #49 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: "891982@bugs.debian.org" <891982@bugs.debian.org>

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Mon, 5 Mar 2018 09:13:48 +0000 (UTC)

Hello,

>I don't see how this package is unmaintainable. Do you think that
>Gianfranco is not up to the job to take care of a simple package like
>xchat?
>
>Are we now questioning the skills of each other in public?


I don't think this is the point, I don't take this as personal, and I hope
Jeremy won't too (I really think he is doing a great job here, and we worked
together on a real high number of transitions, helping each others since years),
so lets avoid going on this direction, this won't ever hurt me personally,
and I want only to see something real about this package, not something theoretical
about the ideal world :) .

thanks for understanding,

G.

Message #54 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Gianfranco Costamagna <locutusofborg@debian.org>

To: 891982@bugs.debian.org

Subject: Re: Bug#891982: xchat: Intent to file removal bug

Date: Mon, 5 Mar 2018 11:38:43 +0100

[Message part 1 (text/plain, inline)]

Hello, for sake of transparency, I'm also publicly stating the private discussion we had with hexchat author
(who quoted parts of my answer email on his blog, so I presume this is fine)

email:

Hi, I'm the HexChat maintainer and I noticed you re-added XChat to the Debian repositories. To be frank I am baffled and confused.
XChat is a dead project that has not seen a release in 8 years now and as somebody who has worked on that codebase for many
of those 8 years it is an awful codebase full of vulnerabilities and bugs. I cannot fathom why a distro, especially one like Debian
that cares about quality, would even consider adding this to the repositories. I can only assume HexChat did something to anger
you but I feel like putting Debian users at risk is the wrong solution to your concerns. I don't expect you to undo this but I am
just curious on how or why it happened.


my answer:

Hello patrick!
>Hi, I'm the HexChat maintainer
thanks for maintaining HexChat! It is now my *first* irc client, I switched from xchat to hexchat since some years

>and I noticed you re-added XChat to the Debian repositories. To be frank I am baffled and confused.>XChat is a dead project that has not seen a release in 8 years now and as somebody who has worked on that codebase for many
>of those 8 years it is an awful codebase full of vulnerabilities and bugs. I cannot fathom why a distro, especially one like Debian
>that cares about quality, would even consider adding this to the repositories. I can only assume HexChat did something to anger
>you but I feel like putting Debian users at risk is the wrong solution to your concerns. I don't expect you to undo this but I am

>just curious on how or why it happened.

you did absolutely *nothing* wrong, and I think your point is really valid.
Unfortunately I have to add something on top of your words! Hexchat is dead upstream, this might be true, but it is not "full of bugs and security
holes", at least not after I adopted it, because I patched all the CVEs and various bugs that have been around since the begin.

I don't really have an answer for my adoption of xchat in Debian, it has been my first irc client, back in the days irc was really used, I loved it,
I didn't love the hexchat necessary switch, but now I'm used to the new graphic, and I find it even superior.

that said, I like to have a B plan in case hexchat stops working because of some new features requiring new systems, new libraries not available
maybe on older pc (e.g.I maintain an Ubuntu ppa that builds xchat back to Ubuntu 14.04, I don't think hexchat can run on such older systems without
patching, mainly due to the necessary switch to new libraries and better graphics.

I was confused about the reintroduction, as well as you, but since the first upload, I got a lot of emails, thanking me bringing it back, and a
backport request really minutes after it has hit unstable again. Other Debian Developers asked me to comaintain backports on older Debian 
distributions, so I think I wasn't the only one feeling nostalgic of the old days, and old graphics :)

BTW, xchat is *fixed* for CVEs, and *stable* wrt libraries, I could even say that developing something increases the possibility to introduce new bugs :)

(this is a joke, please don't take it seriously!).

I often have something that breaks on my development laptop, because I install new libraries, and test combinations of stuff that is not "what we release".
Since I use irc a lot, having a backup plan for an irc connection is something I really need to have, even if right now 95% of the time is Hexchat, and 0.5% xchat.

Anyhow, unless you really find bugs / vulnerabilities in xchat/Debian, I would like to keep it in the archive for some more years, maybe until Ubuntu 14.04 goes
End Of Life, or maybe until I find another good replacement for hexchat in case of breakages :)

BTW don't feel bad, I'm not stealing users to hexchat, popcon seems to agree that xchat is really for a bunch of old developers left :)
https://qa.debian.org/popcon.php?package=xchat
https://qa.debian.org/popcon.php?package=hexchat

I hope I did answer to you, please let me know if I missed anything, I'm really open to a discussion, even public on this topic :)

cheers!
(and thanks for hexchat!)
Gianfranco

---

[signature.asc (application/pgp-signature, attachment)]

Message #59 received at 891982@bugs.debian.org (full text, mbox, reply):

From: Federico Pietro Briata <federico@briata.org>

To: 891982@bugs.debian.org

Subject: Re: xchat: Intent to file removal bug

Date: Tue, 6 Mar 2018 01:42:38 +0100

[Message part 1 (text/plain, inline)]

Hi all,
just came across this bug...

As xchat user since Debian Woody I would like to thanks Gianfranco too for
maintaining and bring it back.

regards,
Federico

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.