On Sun, Jun 30, 2002 at 02:48:26PM -0500, Matthew S. Hallacy wrote:
> Eggdrop (a project I've been working on for years) isn't nearly a
> 'corner application', yet stable still has 1.3.28 which is horribly
> bug-ridden (I do mean horribly). I've been told that this is because
> no further updates can be made to stable, yet these are remotely
> exploitable bugs that can grant shell access. (and shell access to
> every bot connected to that bot)

I would argue that eggdrop is certainly a corner application, concerning
only a few users.  The results from the package popularity-contest[1]
shows[2] that eggdrop has very few users:

    Package               Vote   Old Recent Unknown
    eggdrop                 13    28    21     0

Granted, that's to say that of the people who install the
popularity-contest package, 13 people use the package regularily, 28
people have installed the package but have not used the package
recently, and 21 people have upgraded the package too recently to be
considered valid stats.  That's not a whole lot of people.

I looked at the bugs database for Debian and have not seen any security
level bugs being reported against the available versions (1.6.10-1 in
sid, 1.6.8-2 in potato).  In fact, I remember seeing eggdrop on the
orphaned list not too long ago.  The most recent bug that points to a
new upstream version is #142075[3], but like most of these requests,
it's severity is "wishlist", not "Important", "Grave", or "Security".

Unless a bug makes it to the database, the package will be considered
"free and clear" of security concern.  Now, all of this info says
basically a few things.  1) Eggdrop is not a commonly used package,
statistically speaking in the context of current Debian users. 2)
Eggdrop may be more popular than the package popularity-contest shows,
with the more advanced users opting to install eggdrop from source. 3)
eggdrop hasn't received the most attention from it's maintainer OR ITS
USERS.  Maintaining a package involves more than a dedicated maintainer.

If you have issues with any of these observations about eggdrop and it's
place in Debian, report bugs to the database or send email to the
maintainer.  If you want to be really 31337, consider convincing the
upstream maintainers to create *.deb snapshots from their CVS and stable
repositories, taking the workload off the "maintainer" and putting it in
the hands of those people who really want to see the software used.

> Perhaps the people responsible for allowing people to create the
> packages should make sure the people are going to continue maintaining
> them, instead of doing it a few times a year to keep their name in it.

See my suggestion above.

> As I said, I run debian on my laptop because the only programs I run
> on the laptop are dhcpcd, kismet, prismstumber, and ssh. For any
> system that I use as a desktop debian just doesn't cut it.
> 
> Hopefully the above changes will come about, I'd be willing to take
> another look at it as a desktop distribution.

Everyone has their own expectations and needs.  Debian works very well
as a Desktop Distribution at the IMA, thank you very much.  As my
personal distribution of choice, it works fine on the Desktop.  Still, I
might be what you'd consider a low-maintenance type of power user.

References
----------
1. http://people.debian.org/~apenwarr/popcon/ 
2. http://people.debian.org/~apenwarr/popcon/results.net.html
3. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=142075&repeatmerged=yes

-- 
Chad Walstrom <chewie at wookimus.net>                 | a.k.a. ^chewie
http://www.wookimus.net/                            | s.k.a. gunnarr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020701/011ed9b6/attachment.pgp