pkg-perl-maintainers team mailing list archive
-
pkg-perl-maintainers team
-
Mailing list archive
-
Message #04236
[Bug 1936970] Re: [MIR] libnet-snmp-perl as a dependency of amavisd-new
** Description changed:
[Summary]
=========
Please promote bin:libnet-snmp-perl to main. It's the only binary
package built by src:libnet-snmp-perl. The package is a "new" dependency
of bin:amavisd-new, which is in main. I say "new" in quotes because is
was already a dependency, but d/control missed it up to version
1:2.11.1-5, see [0].
[Rationale]
===========
libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
has been the case since version 2.6.4. Note that Precise packages version
2.6.5 already.
The missing dependency is not immediately visible at such as it only
causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
the amavisd-new package and therefore is in main.
[Availability]
==============
- Upstream: the project exists as NetSNMP since year 2000, but stems from
- the cmu-snmp library which already existed in 1995. NetSNMP still
- actively maintained as the git history [1] shows.
+ Upstream: the module exists since 1998. Upstream development doesn't
+ seem to be active, but OTOH this module like many others in the perl5
+ ecosystem can be considered in maintenance mode at this point.
- Debian/Ubuntu: libnet-snmp-perl was first packaged in Debian in 2000.
+ Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
+ actively maintained, see [3] and d/changelog.
- It is extremely unlikely that the library will be abandoned or deprecated
- in the foreseeable future.
+ Ubuntu: the package is a sync from Debian across all the supported
+ Ubuntu releases (and also across the >=Precise unsupported ones).
- The package is a sync from Debian across all the supported Ubuntu
- releases (and also across the >=Precise unsupported ones).
+ It is unlikely that the library will be superseded or deprecated in the
+ foreseeable future.
[Security]
==========
The package is a SNMP client library. It provides no daemons or services
in general, does not open ports, does not require special privileges to
operate, and does not install setuid binaries.
I see no need for looping in the security team.
[Quality assurance]
===================
Upstream has a test suite which is exercised during the .deb package
build.
Debian has only one bug open against the package, which IIUC is about
how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
forwarded upstream, and IMO shouldn't be considered a blocker for main
inclusion.
Ubuntu has no bugs filed against the package.
Upstream tracks issues on GitHub, development is active.
[Dependencies]
Depends only on perl:any, so we're good here.
[Standards compliance]
The package is in good shape, it's well maintained and follows
standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
- There are however some overrides. For the source package there is:
-
- # Upstream does not provide a repository, so we cannot mention it in metadata
- libnet-snmp-perl source: upstream-metadata-missing-repository
-
- which is not true anymore. I filed a minor bug in Debian for
- this [3] as it was under my fingers already, but it's not worth
- a delta and it's not a blocker for anything.
-
- The binary package has two (related) overrides:
+ There are however two lintian overrides for the binary package:
libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
Lintian is right, but apparently the Debian maintainers decided this is
a wontfix. The fix would consist in splitting out a "-tools" package out
of the "lib" one, I can see it's probably not worth it.
(FWIW I wouldn't have added the override as the lintian is right.)
[Maintenance]
=============
The Server Team will maintain the package. The maintenance effort is
expected to be very low.
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
- [1] https://github.com/net-snmp/net-snmp
+ [1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
[2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
- [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991350
+ [3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl
** Description changed:
[Summary]
=========
Please promote bin:libnet-snmp-perl to main. It's the only binary
package built by src:libnet-snmp-perl. The package is a "new" dependency
of bin:amavisd-new, which is in main. I say "new" in quotes because is
was already a dependency, but d/control missed it up to version
1:2.11.1-5, see [0].
[Rationale]
===========
libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
has been the case since version 2.6.4. Note that Precise packages version
2.6.5 already.
The missing dependency is not immediately visible at such as it only
causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
the amavisd-new package and therefore is in main.
[Availability]
==============
Upstream: the module exists since 1998. Upstream development doesn't
seem to be active, but OTOH this module like many others in the perl5
ecosystem can be considered in maintenance mode at this point.
Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
- actively maintained, see [3] and d/changelog.
+ actively maintained, see [3] and d/changelog.
Ubuntu: the package is a sync from Debian across all the supported
Ubuntu releases (and also across the >=Precise unsupported ones).
It is unlikely that the library will be superseded or deprecated in the
foreseeable future.
[Security]
==========
The package is a SNMP client library. It provides no daemons or services
in general, does not open ports, does not require special privileges to
operate, and does not install setuid binaries.
I see no need for looping in the security team.
[Quality assurance]
===================
Upstream has a test suite which is exercised during the .deb package
build.
Debian has only one bug open against the package, which IIUC is about
how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
forwarded upstream, and IMO shouldn't be considered a blocker for main
inclusion.
Ubuntu has no bugs filed against the package.
-
- Upstream tracks issues on GitHub, development is active.
[Dependencies]
Depends only on perl:any, so we're good here.
[Standards compliance]
The package is in good shape, it's well maintained and follows
standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
There are however two lintian overrides for the binary package:
libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
Lintian is right, but apparently the Debian maintainers decided this is
a wontfix. The fix would consist in splitting out a "-tools" package out
of the "lib" one, I can see it's probably not worth it.
(FWIW I wouldn't have added the override as the lintian is right.)
[Maintenance]
=============
The Server Team will maintain the package. The maintenance effort is
expected to be very low.
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
[1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
[2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
[3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl
** Description changed:
[Summary]
=========
Please promote bin:libnet-snmp-perl to main. It's the only binary
package built by src:libnet-snmp-perl. The package is a "new" dependency
of bin:amavisd-new, which is in main. I say "new" in quotes because is
was already a dependency, but d/control missed it up to version
1:2.11.1-5, see [0].
[Rationale]
===========
libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
- The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
+ The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release notes [2] this
has been the case since version 2.6.4. Note that Precise packages version
2.6.5 already.
The missing dependency is not immediately visible at such as it only
causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
the amavisd-new package and therefore is in main.
[Availability]
==============
Upstream: the module exists since 1998. Upstream development doesn't
seem to be active, but OTOH this module like many others in the perl5
ecosystem can be considered in maintenance mode at this point.
Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
actively maintained, see [3] and d/changelog.
Ubuntu: the package is a sync from Debian across all the supported
Ubuntu releases (and also across the >=Precise unsupported ones).
It is unlikely that the library will be superseded or deprecated in the
foreseeable future.
[Security]
==========
The package is a SNMP client library. It provides no daemons or services
in general, does not open ports, does not require special privileges to
operate, and does not install setuid binaries.
I see no need for looping in the security team.
[Quality assurance]
===================
Upstream has a test suite which is exercised during the .deb package
build.
Debian has only one bug open against the package, which IIUC is about
how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
forwarded upstream, and IMO shouldn't be considered a blocker for main
inclusion.
Ubuntu has no bugs filed against the package.
[Dependencies]
Depends only on perl:any, so we're good here.
[Standards compliance]
The package is in good shape, it's well maintained and follows
standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
There are however two lintian overrides for the binary package:
libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
Lintian is right, but apparently the Debian maintainers decided this is
a wontfix. The fix would consist in splitting out a "-tools" package out
of the "lib" one, I can see it's probably not worth it.
(FWIW I wouldn't have added the override as the lintian is right.)
[Maintenance]
=============
The Server Team will maintain the package. The maintenance effort is
expected to be very low.
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
[1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
[2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
[3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl
** Description changed:
[Summary]
=========
Please promote bin:libnet-snmp-perl to main. It's the only binary
package built by src:libnet-snmp-perl. The package is a "new" dependency
of bin:amavisd-new, which is in main. I say "new" in quotes because is
was already a dependency, but d/control missed it up to version
1:2.11.1-5, see [0].
[Rationale]
===========
libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release notes [2] this
has been the case since version 2.6.4. Note that Precise packages version
2.6.5 already.
The missing dependency is not immediately visible at such as it only
causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
the amavisd-new package and therefore is in main.
[Availability]
==============
Upstream: the module exists since 1998. Upstream development doesn't
seem to be active, but OTOH this module like many others in the perl5
ecosystem can be considered in maintenance mode at this point.
Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
actively maintained, see [3] and d/changelog.
Ubuntu: the package is a sync from Debian across all the supported
Ubuntu releases (and also across the >=Precise unsupported ones).
It is unlikely that the library will be superseded or deprecated in the
foreseeable future.
[Security]
==========
The package is a SNMP client library. It provides no daemons or services
in general, does not open ports, does not require special privileges to
operate, and does not install setuid binaries.
I see no need for looping in the security team.
[Quality assurance]
===================
Upstream has a test suite which is exercised during the .deb package
build.
Debian has only one bug open against the package, which IIUC is about
- how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
+ how the module handles a non-RFC-compliant SNMP server. The bug has been
forwarded upstream, and IMO shouldn't be considered a blocker for main
inclusion.
+
+ Upstream bugs are tracked on CPAN [4]. The bug count is low given the
+ age of the project, with the latest ones being forwards from Debian.
+ I can see no red flags there.
Ubuntu has no bugs filed against the package.
[Dependencies]
Depends only on perl:any, so we're good here.
[Standards compliance]
The package is in good shape, it's well maintained and follows
standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
There are however two lintian overrides for the binary package:
libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
Lintian is right, but apparently the Debian maintainers decided this is
a wontfix. The fix would consist in splitting out a "-tools" package out
of the "lib" one, I can see it's probably not worth it.
(FWIW I wouldn't have added the override as the lintian is right.)
[Maintenance]
=============
The Server Team will maintain the package. The maintenance effort is
expected to be very low.
[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
[1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
[2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
[3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl
+ [4] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-SNMP
--
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libnet-snmp-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1936970
Title:
[MIR] libnet-snmp-perl as a dependency of amavisd-new
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnet-snmp-perl/+bug/1936970/+subscriptions
References
