← Back to team overview

pkg-perl-maintainers team mailing list archive

[Bug 1936970] Re: [MIR] libnet-snmp-perl as a dependency of amavisd-new

 

** Description changed:

  [Summary]
  =========
  
  Please promote bin:libnet-snmp-perl to main. It's the only binary
  package built by src:libnet-snmp-perl. The package is a "new" dependency
  of bin:amavisd-new, which is in main. I say "new" in quotes because is
  was already a dependency, but d/control missed it up to version
  1:2.11.1-5, see [0].
  
  [Rationale]
  ===========
  
  libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
  The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
  has been the case since version 2.6.4. Note that Precise packages version
  2.6.5 already.
  
  The missing dependency is not immediately visible at such as it only
  causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
  the amavisd-new package and therefore is in main.
  
  [Availability]
  ==============
  
- Upstream: the project exists as NetSNMP since year 2000, but stems from
- the cmu-snmp library which already existed in 1995. NetSNMP still
- actively maintained as the git history [1] shows.
+ Upstream: the module exists since 1998. Upstream development doesn't
+ seem to be active, but OTOH this module like many others in the perl5
+ ecosystem can be considered in maintenance mode at this point.
  
- Debian/Ubuntu: libnet-snmp-perl was first packaged in Debian in 2000.
+ Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
+ actively maintained, see [3] and d/changelog. 
  
- It is extremely unlikely that the library will be abandoned or deprecated
- in the foreseeable future.
+ Ubuntu: the package is a sync from Debian across all the supported
+ Ubuntu releases (and also across the >=Precise unsupported ones).
  
- The package is a sync from Debian across all the supported Ubuntu
- releases (and also across the >=Precise unsupported ones).
+ It is unlikely that the library will be superseded or deprecated in the
+ foreseeable future.
  
  [Security]
  ==========
  
  The package is a SNMP client library. It provides no daemons or services
  in general, does not open ports, does not require special privileges to
  operate, and does not install setuid binaries.
  
  I see no need for looping in the security team.
  
  [Quality assurance]
  ===================
  
  Upstream has a test suite which is exercised during the .deb package
  build.
  
  Debian has only one bug open against the package, which IIUC is about
  how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
  forwarded upstream, and IMO shouldn't be considered a blocker for main
  inclusion.
  
  Ubuntu has no bugs filed against the package.
  
  Upstream tracks issues on GitHub, development is active.
  
  [Dependencies]
  
  Depends only on perl:any, so we're good here.
  
  [Standards compliance]
  
  The package is in good shape, it's well maintained and follows
  standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
  
  X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
  
- There are however some overrides. For the source package there is:
- 
- # Upstream does not provide a repository, so we cannot mention it in metadata
- libnet-snmp-perl source: upstream-metadata-missing-repository
- 
- which is not true anymore. I filed a minor bug in Debian for
- this [3] as it was under my fingers already, but it's not worth
- a delta and it's not a blocker for anything.
- 
- The binary package has two (related) overrides:
+ There are however two lintian overrides for the binary package:
  
  libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
  libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
  
  Lintian is right, but apparently the Debian maintainers decided this is
  a wontfix. The fix would consist in splitting out a "-tools" package out
  of the "lib" one, I can see it's probably not worth it.
  
  (FWIW I wouldn't have added the override as the lintian is right.)
  
  [Maintenance]
  =============
  
  The Server Team will maintain the package. The maintenance effort is
  expected to be very low.
  
  [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
- [1] https://github.com/net-snmp/net-snmp
+ [1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
  [2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
- [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991350
+ [3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl

** Description changed:

  [Summary]
  =========
  
  Please promote bin:libnet-snmp-perl to main. It's the only binary
  package built by src:libnet-snmp-perl. The package is a "new" dependency
  of bin:amavisd-new, which is in main. I say "new" in quotes because is
  was already a dependency, but d/control missed it up to version
  1:2.11.1-5, see [0].
  
  [Rationale]
  ===========
  
  libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
  The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
  has been the case since version 2.6.4. Note that Precise packages version
  2.6.5 already.
  
  The missing dependency is not immediately visible at such as it only
  causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
  the amavisd-new package and therefore is in main.
  
  [Availability]
  ==============
  
  Upstream: the module exists since 1998. Upstream development doesn't
  seem to be active, but OTOH this module like many others in the perl5
  ecosystem can be considered in maintenance mode at this point.
  
  Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
- actively maintained, see [3] and d/changelog. 
+ actively maintained, see [3] and d/changelog.
  
  Ubuntu: the package is a sync from Debian across all the supported
  Ubuntu releases (and also across the >=Precise unsupported ones).
  
  It is unlikely that the library will be superseded or deprecated in the
  foreseeable future.
  
  [Security]
  ==========
  
  The package is a SNMP client library. It provides no daemons or services
  in general, does not open ports, does not require special privileges to
  operate, and does not install setuid binaries.
  
  I see no need for looping in the security team.
  
  [Quality assurance]
  ===================
  
  Upstream has a test suite which is exercised during the .deb package
  build.
  
  Debian has only one bug open against the package, which IIUC is about
  how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
  forwarded upstream, and IMO shouldn't be considered a blocker for main
  inclusion.
  
  Ubuntu has no bugs filed against the package.
- 
- Upstream tracks issues on GitHub, development is active.
  
  [Dependencies]
  
  Depends only on perl:any, so we're good here.
  
  [Standards compliance]
  
  The package is in good shape, it's well maintained and follows
  standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
  
  X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
  
  There are however two lintian overrides for the binary package:
  
  libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
  libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
  
  Lintian is right, but apparently the Debian maintainers decided this is
  a wontfix. The fix would consist in splitting out a "-tools" package out
  of the "lib" one, I can see it's probably not worth it.
  
  (FWIW I wouldn't have added the override as the lintian is right.)
  
  [Maintenance]
  =============
  
  The Server Team will maintain the package. The maintenance effort is
  expected to be very low.
  
  [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
  [1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
  [2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
  [3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl

** Description changed:

  [Summary]
  =========
  
  Please promote bin:libnet-snmp-perl to main. It's the only binary
  package built by src:libnet-snmp-perl. The package is a "new" dependency
  of bin:amavisd-new, which is in main. I say "new" in quotes because is
  was already a dependency, but d/control missed it up to version
  1:2.11.1-5, see [0].
  
  [Rationale]
  ===========
  
  libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
- The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release noted [2] this
+ The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release notes [2] this
  has been the case since version 2.6.4. Note that Precise packages version
  2.6.5 already.
  
  The missing dependency is not immediately visible at such as it only
  causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
  the amavisd-new package and therefore is in main.
  
  [Availability]
  ==============
  
  Upstream: the module exists since 1998. Upstream development doesn't
  seem to be active, but OTOH this module like many others in the perl5
  ecosystem can be considered in maintenance mode at this point.
  
  Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
  actively maintained, see [3] and d/changelog.
  
  Ubuntu: the package is a sync from Debian across all the supported
  Ubuntu releases (and also across the >=Precise unsupported ones).
  
  It is unlikely that the library will be superseded or deprecated in the
  foreseeable future.
  
  [Security]
  ==========
  
  The package is a SNMP client library. It provides no daemons or services
  in general, does not open ports, does not require special privileges to
  operate, and does not install setuid binaries.
  
  I see no need for looping in the security team.
  
  [Quality assurance]
  ===================
  
  Upstream has a test suite which is exercised during the .deb package
  build.
  
  Debian has only one bug open against the package, which IIUC is about
  how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
  forwarded upstream, and IMO shouldn't be considered a blocker for main
  inclusion.
  
  Ubuntu has no bugs filed against the package.
  
  [Dependencies]
  
  Depends only on perl:any, so we're good here.
  
  [Standards compliance]
  
  The package is in good shape, it's well maintained and follows
  standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
  
  X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
  
  There are however two lintian overrides for the binary package:
  
  libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
  libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
  
  Lintian is right, but apparently the Debian maintainers decided this is
  a wontfix. The fix would consist in splitting out a "-tools" package out
  of the "lib" one, I can see it's probably not worth it.
  
  (FWIW I wouldn't have added the override as the lintian is right.)
  
  [Maintenance]
  =============
  
  The Server Team will maintain the package. The maintenance effort is
  expected to be very low.
  
  [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
  [1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
  [2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
  [3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl

** Description changed:

  [Summary]
  =========
  
  Please promote bin:libnet-snmp-perl to main. It's the only binary
  package built by src:libnet-snmp-perl. The package is a "new" dependency
  of bin:amavisd-new, which is in main. I say "new" in quotes because is
  was already a dependency, but d/control missed it up to version
  1:2.11.1-5, see [0].
  
  [Rationale]
  ===========
  
  libnet-snmp-perl is a runtime dependency of amavisd-new, which is in main.
  The packages is not in main already because it was not specified in d/control, see [0]. According to the upstream release notes [2] this
  has been the case since version 2.6.4. Note that Precise packages version
  2.6.5 already.
  
  The missing dependency is not immediately visible at such as it only
  causes failures when using amavisd-snmp-subagent, a tool to facilitate the monitoring of the filtering system via snmp. The agent is shipped with
  the amavisd-new package and therefore is in main.
  
  [Availability]
  ==============
  
  Upstream: the module exists since 1998. Upstream development doesn't
  seem to be active, but OTOH this module like many others in the perl5
  ecosystem can be considered in maintenance mode at this point.
  
  Debian: libnet-snmp-perl was first packaged in Debian in 2000 and it's
  actively maintained, see [3] and d/changelog.
  
  Ubuntu: the package is a sync from Debian across all the supported
  Ubuntu releases (and also across the >=Precise unsupported ones).
  
  It is unlikely that the library will be superseded or deprecated in the
  foreseeable future.
  
  [Security]
  ==========
  
  The package is a SNMP client library. It provides no daemons or services
  in general, does not open ports, does not require special privileges to
  operate, and does not install setuid binaries.
  
  I see no need for looping in the security team.
  
  [Quality assurance]
  ===================
  
  Upstream has a test suite which is exercised during the .deb package
  build.
  
  Debian has only one bug open against the package, which IIUC is about
- how net-snmp handles a non-RFC-compliant SNMP server. The bug has been
+ how the module handles a non-RFC-compliant SNMP server. The bug has been
  forwarded upstream, and IMO shouldn't be considered a blocker for main
  inclusion.
+ 
+ Upstream bugs are tracked on CPAN [4]. The bug count is low given the
+ age of the project, with the latest ones being forwards from Debian.
+ I can see no red flags there.
  
  Ubuntu has no bugs filed against the package.
  
  [Dependencies]
  
  Depends only on perl:any, so we're good here.
  
  [Standards compliance]
  
  The package is in good shape, it's well maintained and follows
  standards and best practices. The only thing `lintian -EvIL +pedantic` complains about is:
  
  X: libnet-snmp-perl source: debian-watch-does-not-check-gpg-signature
  
  There are however two lintian overrides for the binary package:
  
  libnet-snmp-perl: library-package-name-for-application usr/bin/snmpkey
  libnet-snmp-perl: application-in-library-section perl usr/bin/snmpkey
  
  Lintian is right, but apparently the Debian maintainers decided this is
  a wontfix. The fix would consist in splitting out a "-tools" package out
  of the "lib" one, I can see it's probably not worth it.
  
  (FWIW I wouldn't have added the override as the lintian is right.)
  
  [Maintenance]
  =============
  
  The Server Team will maintain the package. The maintenance effort is
  expected to be very low.
  
  [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=936052
  [1] https://fastapi.metacpan.org/source/DTOWN/Net-SNMP-v6.0.1/Changes
  [2] https://gitlab.com/amavis/amavis/-/blob/master/RELEASE_NOTES
  [3] https://salsa.debian.org/perl-team/modules/packages/libnet-snmp-perl
+ [4] https://rt.cpan.org/Public/Dist/Display.html?Name=Net-SNMP

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libnet-snmp-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1936970

Title:
  [MIR] libnet-snmp-perl as a dependency of amavisd-new

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnet-snmp-perl/+bug/1936970/+subscriptions



References