On Wed, Jun 18, 2008 at 02:09:06PM +0200, A Mennucc wrote: > On Wed, Jun 18, 2008 at 10:29:17AM +0100, Neil McGovern wrote: > > Neither, it's the RC policy which carries more weight than a RG: > > http://release.debian.org/lenny/rc_policy.txt > > > > 5a) Packages in the archive must not be so buggy or out of date that we > > refuse to support them. > > > > The security team has confirmed multiple times that this is no longer > > supportable. > > Your phrase "no longer" confirms that there is a fundamental > misunderstanding in this point. > > The package 'mplayer' is not 'so buggy', it has 40 bugs, > and that is average. > The only RC bug that 'mplayer' has is 395252. > > This bug says "mplayer requires too much security maintainance work due to > embedded ffmpeg copy". > > But this "too much security work" was claimed even before etch was > released, and is a claim that had and still has no supporting facts. > > Indeed 'mplayer' had 3 security updates so far in Etch. > No one of those security updates was fixed by patching > code in the ffmpeg library. > > So this whole bug 395252 is based on an apriori assumption; > moreover this assumption was proved wrong by facts. > > Summarizing, you are deciding that mplayer is too buggy to be > supported because of a bug that claims that same argument. > > Don't you see how circular this whole reasoning is? > > ---- > > Not to mention that, for reasons behond my comprehension, > mplayer is the only package targetted by this reasoning. > > 1) As I said in the other email, the policy 3.8.0 > now contains a paragraph [14.3] against embedded copies, > that is though waived for Lenny. For some reasons, you > do not accept that mplayer be given the same treatment. > > 2) Another point is that > http://svn.debian.org/wsvn/secure-testing/data/embedded-code-copies?op=file&rev=0&sc=0 > lists many packages which ship embedded copies. One example is > mozilla/iceweasel/iceape. Iceweasel had 9 security bugs in Etch. > Iceweasel has ~500 bugs (!!). So iceweasel should be kept out of > Lenny, since it contains embedded copies of code and is quite > buggy. But no one is ever posting this RC bug. Why? Beats me.
Note iceweasel 3.0, which is planned for Lenny, while it contains embedded copy of code, does *not* use it. Find another example. Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
