It simply doesn't connect at all, upstream looks to no longer develop old amsn1 and debian already dropped it due security issues: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654540 I think we should drop it Reproducible: Always
(In reply to comment #0) > It simply doesn't connect at all, upstream looks to no longer develop old > amsn1 and debian already dropped it due security issues: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654540 > > I think we should drop it Actually, it does connect for me :-) At least for my two accounts. I agree on security considerations, removal looks a sane option.
Hi, I'm Youness (aka KaKaRoTo), an aMSN developer. I don't understand this idea of "let's just remove it". aMSN is working and still maintained and any bugs are still going to get fixed, if they are properly reported. If it fails to connect for you, then why don't you come to our IRC channel (#amsn@freenode) and report it and we'll see how we can help you? Going directly to the gentoo bug tracker and requesting it to be completely removed from the distribution sounds completely absurd to me. As for "debian" and their "security issues" that's total bullshit (excuse the term). That 'security' bug was never reported to us, we have an active community and we never heard about it. Also, this "security issue" is about someone doing a DoS on a port open by aMSN (which only happens for the few milliseconds during which a file transfer is being established) and I don't see how they can expect every application to have DoS counter measures! And the only security concern is that the application freezes (because it's under a DoS attack!). That's completely stupid, and ever since I was shown that bug and their ridiculous decision to remove it (because "there are better msn alternatives" and because some guy's opinion is now the absolute truth and that the fact that we still get over 200,000 downloads per month, with over 1 million downloads during releases, is completely irrelevant since some guy thinks there are "better alternatives"), well, ever since I was shown that bug report, I've refrained from doing anything, refrained from protesting, refrained from commenting on their bug report because I thought I would just not be able to keep my anger inside and I didn't want to publically explode and disrespect whoever made that stupid decision. Now gentoo thinks that it's again the simplest solution... great, let me open a bug report "Libre office crashed, I suggest we remove it from every Linux distribution" or better yet "I had a kernel panic the other day, let's not report the bug upstream, I suggest instead that we remove the linux kernel from the distribution". I don't have anything more to say. KaKaRoTo
Er, is this some attempt at humor? :-/ You can't just remove aMSN. We need it.
In light of upstream's comments, I removed the p.mask entry.
(In reply to comment #2) > Hi, > > I'm Youness (aka KaKaRoTo), an aMSN developer. > I don't understand this idea of "let's just remove it". It's logical you don't understand it because that is not our idea at all. >aMSN is working and > still maintained and any bugs are still going to get fixed, if they are > properly reported. >If it fails to connect for you, then why don't you come > to our IRC channel (#amsn@freenode) and report it and we'll see how we can > help you? Going directly to the gentoo bug tracker and requesting it to be > completely removed from the distribution sounds completely absurd to me. > It's not completely absurd when amsn1 has no new release for years, debian killed it due some security problems they blame to get unattended after supposedly getting them forwarded to upstream: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557754#16 > As for "debian" and their "security issues" that's total bullshit (excuse > the term). That 'security' bug was never reported to us, we have an active > community and we never heard about it. Also, this "security issue" is about > someone doing a DoS on a port open by aMSN (which only happens for the few > milliseconds during which a file transfer is being established) and I don't > see how they can expect every application to have DoS counter measures! And > the only security concern is that the application freezes (because it's > under a DoS attack!). This will be better handled in its own bug then: https://bugs.gentoo.org/show_bug.cgi?id=415861 >That's completely stupid, and ever since I was shown > that bug and their ridiculous decision to remove it (because "there are > better msn alternatives" and because some guy's opinion is now the absolute > truth and that the fact that we still get over 200,000 downloads per month, > with over 1 million downloads during releases, is completely irrelevant > since some guy thinks there are "better alternatives"), Well, I checked the status of this packages on other important distributions and saw it was removed from debian, ubuntu, and I couldn't find it neither in official opensuse repo. Also has some opened bug reports downstream here in gentoo that are unattended for a long time. > well, ever since I > was shown that bug report, I've refrained from doing anything, refrained > from protesting, refrained from commenting on their bug report because I > thought I would just not be able to keep my anger inside and I didn't want > to publically explode and disrespect whoever made that stupid decision. > I think would be much better to comment and clarify things instead of coming here in such aggressive way and "exploding" > Now gentoo thinks that it's again the simplest solution... great, let me > open a bug report "Libre office crashed, I suggest we remove it from every > Linux distribution" or better yet "I had a kernel panic the other day, let's > not report the bug upstream, I suggest instead that we remove the linux > kernel from the distribution". > It's not the same case as explained. > I don't have anything more to say. > > KaKaRoTo (In reply to comment #3) > Er, is this some attempt at humor? :-/ You can't just remove aMSN. We need > it. Well, it has replacements, anyway, I am happy to see it preserved if bugs are fixed.
Regarding original connection issue, looks like it works today for me, maybe was a temporal failure and I wrongly thought it was caused by msn changes some months ago that broke a lot of unofficial clients: http://blog.emesene.org/2011/11/emesene-is-unable-to-connect.html
This is another case of important bug yet unfixed, it was reported to upstream but we are still waiting to get it fixed in a new version: https://bugs.gentoo.org/show_bug.cgi?id=305417
(In reply to comment #4) > In light of upstream's comments, I removed the p.mask entry. I hope that means you also included yourself in metadata.xml as a primary maintainer to take care of the pending issues, otherwise unmasking wasn't warranted. For example, stable libpng release has been 1.5 for about 1 and ½ half years but AMSN has had no releases since so there aren't likely much chance for the security bug ever getting fixed either without distribution maintainers writing patches themselfs for it.
(In reply to comment #8) > (In reply to comment #4) > > In light of upstream's comments, I removed the p.mask entry. > > I hope that means you also included yourself in metadata.xml as a primary > maintainer to take care of the pending issues, otherwise unmasking wasn't > warranted. I'm part of net-im, the primary maintainer, yes.
(In reply to comment #5) > (In reply to comment #2) > > Hi, > > > > I'm Youness (aka KaKaRoTo), an aMSN developer. > > I don't understand this idea of "let's just remove it". > > It's logical you don't understand it because that is not our idea at all. How is that not your idea at all? The title of this "bug" is "remove net-im/amsn", your first comment was "I think we should drop it" and the second comment is "removal looks a sane option." and now you're saying it's logical I don't understand it because removing amsn was not your intention ? Is this a joke ? > > > >aMSN is working and > > still maintained and any bugs are still going to get fixed, if they are > > properly reported. > > >If it fails to connect for you, then why don't you come > > to our IRC channel (#amsn@freenode) and report it and we'll see how we can > > help you? Going directly to the gentoo bug tracker and requesting it to be > > completely removed from the distribution sounds completely absurd to me. > > > > It's not completely absurd when amsn1 has no new release for years, debian > killed it due some security problems they blame to get unattended after > supposedly getting them forwarded to upstream: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557754#16 no, it is absurd, amsn1 hasn't had a release because it's stable. That security concern from debian is BS like I explained and we were never able to reproduce it so it's invalid. You even said you thought it fails to work because microsoft changed the protocol and a lot of clients stopped working, yes, it's true, but not aMSN, because we did it properly (and we helped the others fix their bug) so when the protocol changed, everyone got a new release but we didn't need to. We are concentrating on our work on amsn2 which is a complete rewrite and we keep releasing only bugfixes to the 0.x stable branch. It's not because it's stable that it should suddenly disappear from every distribution. > > > As for "debian" and their "security issues" that's total bullshit (excuse > > the term). That 'security' bug was never reported to us, we have an active > > community and we never heard about it. Also, this "security issue" is about > > someone doing a DoS on a port open by aMSN (which only happens for the few > > milliseconds during which a file transfer is being established) and I don't > > see how they can expect every application to have DoS counter measures! And > > the only security concern is that the application freezes (because it's > > under a DoS attack!). > > This will be better handled in its own bug then: > https://bugs.gentoo.org/show_bug.cgi?id=415861 > > >That's completely stupid, and ever since I was shown > > that bug and their ridiculous decision to remove it (because "there are > > better msn alternatives" and because some guy's opinion is now the absolute > > truth and that the fact that we still get over 200,000 downloads per month, > > with over 1 million downloads during releases, is completely irrelevant > > since some guy thinks there are "better alternatives"), > > Well, I checked the status of this packages on other important distributions > and saw it was removed from debian, ubuntu, and I couldn't find it neither > in official opensuse repo. Also has some opened bug reports downstream here > in gentoo that are unattended for a long time. yes, debian removed it because someone was stupid and asked for removal and I refrained from starting a war. ubuntu just follows whatever debian does, and I have no idea about opensuse. > > > > well, ever since I > > was shown that bug report, I've refrained from doing anything, refrained > > from protesting, refrained from commenting on their bug report because I > > thought I would just not be able to keep my anger inside and I didn't want > > to publically explode and disrespect whoever made that stupid decision. > > > > I think would be much better to comment and clarify things instead of coming > here in such aggressive way and "exploding" Isn't that exactly what I did? didn't I explain and clarify things? Me being angry is a legitimate reaction, but I wasn't rude, vulgar, insulting, and I still gave proper explanations an stated my opinion in a clear manner. If there is something you didn't understand and you still need convincing, let me know, I'll be glad to explain to you in the most rational way. > > > Now gentoo thinks that it's again the simplest solution... great, let me > > open a bug report "Libre office crashed, I suggest we remove it from every > > Linux distribution" or better yet "I had a kernel panic the other day, let's > > not report the bug upstream, I suggest instead that we remove the linux > > kernel from the distribution". > > > > It's not the same case as explained. Sorry, but I don't see any explanation that you gave as to why this is any different. Unless you're referring to time between releases, in which case, I'm sure there are plenty of stable packages who haven't had a release in a while but are not candidates for removal. > > > I don't have anything more to say. > > > > KaKaRoTo > > (In reply to comment #3) > > Er, is this some attempt at humor? :-/ You can't just remove aMSN. We need > > it. > > Well, it has replacements, anyway, I am happy to see it preserved if bugs > are fixed. No, it has "competing clients", it has "alternatives", but it doesn't have a "replacement" yet. when we release amsn2, then yes, it would have a replacement, in the meantime, it's just a matter of personal choice, some people prefer pidgin, others prefer emesene, others empathy and other aMSN, open source and freedom also includes people being free to chose what client THEY want to use, and not being forced to use something else because someone somewhere thinks that it's better for them.
(In reply to comment #10) > (In reply to comment #5) > > (In reply to comment #2) > > > Hi, > > > > > > I'm Youness (aka KaKaRoTo), an aMSN developer. > > > I don't understand this idea of "let's just remove it". > > > > It's logical you don't understand it because that is not our idea at all. > How is that not your idea at all? The title of this "bug" is "remove > net-im/amsn", your first comment was "I think we should drop it" and the > second comment is "removal looks a sane option." and now you're saying it's > logical I don't understand it because removing amsn was not your intention ? > Is this a joke ? > It's not a joke, the idea is to remove it because of some reasons explained in bug report, not to "let's just remove it" like you said. There is an important difference. > > > > > > >aMSN is working and > > > still maintained and any bugs are still going to get fixed, if they are > > > properly reported. > > > > >If it fails to connect for you, then why don't you come > > > to our IRC channel (#amsn@freenode) and report it and we'll see how we can > > > help you? Going directly to the gentoo bug tracker and requesting it to be > > > completely removed from the distribution sounds completely absurd to me. > > > > > > > It's not completely absurd when amsn1 has no new release for years, debian > > killed it due some security problems they blame to get unattended after > > supposedly getting them forwarded to upstream: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557754#16 > > no, it is absurd, amsn1 hasn't had a release because it's stable. That > security concern from debian is BS like I explained and we were never able > to reproduce it so it's invalid. You even said you thought it fails to work > because microsoft changed the protocol and a lot of clients stopped working, > yes, it's true, but not aMSN, because we did it properly (and we helped the > others fix their bug) so when the protocol changed, everyone got a new > release but we didn't need to. > We are concentrating on our work on amsn2 which is a complete rewrite and we > keep releasing only bugfixes to the 0.x stable branch. It's not because it's > stable that it should suddenly disappear from every distribution. > Maybe it's stable, but we (and fedora) are carrying patches from fixing v4l compatibility to fix libpng-1.5. I added the bug to remove it by reasons already explained multiple times, not because "it's stable". Please discuss seriously. > > > > > As for "debian" and their "security issues" that's total bullshit (excuse > > > the term). That 'security' bug was never reported to us, we have an active > > > community and we never heard about it. Also, this "security issue" is about > > > someone doing a DoS on a port open by aMSN (which only happens for the few > > > milliseconds during which a file transfer is being established) and I don't > > > see how they can expect every application to have DoS counter measures! And > > > the only security concern is that the application freezes (because it's > > > under a DoS attack!). > > > > This will be better handled in its own bug then: > > https://bugs.gentoo.org/show_bug.cgi?id=415861 > > > > >That's completely stupid, and ever since I was shown > > > that bug and their ridiculous decision to remove it (because "there are > > > better msn alternatives" and because some guy's opinion is now the absolute > > > truth and that the fact that we still get over 200,000 downloads per month, > > > with over 1 million downloads during releases, is completely irrelevant > > > since some guy thinks there are "better alternatives"), > > > > Well, I checked the status of this packages on other important distributions > > and saw it was removed from debian, ubuntu, and I couldn't find it neither > > in official opensuse repo. Also has some opened bug reports downstream here > > in gentoo that are unattended for a long time. > yes, debian removed it because someone was stupid and asked for removal and > I refrained from starting a war. ubuntu just follows whatever debian does, > and I have no idea about opensuse. > Maybe you should have commented there instead of refraining because there is no need at all to "start a war" and calling others "stupid", you simply needed to kindly explain the situation there and you would probably prevented its removal there also. > > > > > > > well, ever since I > > > was shown that bug report, I've refrained from doing anything, refrained > > > from protesting, refrained from commenting on their bug report because I > > > thought I would just not be able to keep my anger inside and I didn't want > > > to publically explode and disrespect whoever made that stupid decision. > > > > > > > I think would be much better to comment and clarify things instead of coming > > here in such aggressive way and "exploding" > Isn't that exactly what I did? didn't I explain and clarify things? Me being > angry is a legitimate reaction, but I wasn't rude, vulgar, insulting, and I > still gave proper explanations an stated my opinion in a clear manner. If > there is something you didn't understand and you still need convincing, let > me know, I'll be glad to explain to you in the most rational way. > Simply re-read comment #2 to see the used tone there. > > > > > Now gentoo thinks that it's again the simplest solution... great, let me > > > open a bug report "Libre office crashed, I suggest we remove it from every > > > Linux distribution" or better yet "I had a kernel panic the other day, let's > > > not report the bug upstream, I suggest instead that we remove the linux > > > kernel from the distribution". > > > > > > > It's not the same case as explained. > Sorry, but I don't see any explanation that you gave as to why this is any > different. Unless you're referring to time between releases, in which case, > I'm sure there are plenty of stable packages who haven't had a release in a > while but are not candidates for removal. > They don't have unfixed security bugs since 2006 that we see upstream don't care about (because they don't think it deserves to be fixed) due a comment here in 2012 because you refrained to explain it when you saw the bug in debian. > > > > > I don't have anything more to say. > > > > > > KaKaRoTo > > > > (In reply to comment #3) > > > Er, is this some attempt at humor? :-/ You can't just remove aMSN. We need > > > it. > > > > Well, it has replacements, anyway, I am happy to see it preserved if bugs > > are fixed. > > No, it has "competing clients", it has "alternatives", but it doesn't have a > "replacement" yet. when we release amsn2, then yes, it would have a > replacement, in the meantime, it's just a matter of personal choice, some > people prefer pidgin, others prefer emesene, others empathy and other aMSN, > open source and freedom also includes people being free to chose what client > THEY want to use, and not being forced to use something else because someone > somewhere thinks that it's better for them.
(In reply to comment #11) > > It's not a joke, the idea is to remove it because of some reasons explained > in bug report, not to "let's just remove it" like you said. There is an > important difference. The reason was that it didn't connect (which was apparently a temporary server issue) and as explained the 'security reasons' are ridiculous. When I say "let's just remove it", I'm not saying you woke up some day and thought it would be fun to remove it. What I mean by that is "there's an issue, let's just remove it, instead of contacting the devs and trying to resolve this properly". I find this very insulting and a lack of respect to our years of work on the project. At least, someone (not you) had the decency of giving me the link to this bug. > > Maybe it's stable, but we (and fedora) are carrying patches from fixing v4l > compatibility to fix libpng-1.5. I added the bug to remove it by reasons > already explained multiple times, not because "it's stable". Please discuss > seriously. What are these bugs? Do we need to chase around every distro and see which patches they implement ? We were never notified of those bugs or given the patches to review. There is a mailing list for a reason, so if you have to keep carrying patches, that's your own fault for not communicating properly with upstream. > > Maybe you should have commented there instead of refraining because there is > no need at all to "start a war" and calling others "stupid", you simply > needed to kindly explain the situation there and you would probably > prevented its removal there also. I would have if they had the decency of contacting us to discuss the issue, but no, we found out that it was removed and we found that bug *months* after it had gotten removed without giving us a chance to defend our situation. That's why I refrained from commenting, it wouldn't have helped in any way as it was too late, and because the idea of asking for removal is not what's bothering me, it's the fact that it gets removed without talking with us about it first. > > Simply re-read comment #2 to see the used tone there. I never said I wasn't angry, yes, I am angry, and for good reason, and whatever tone I used, it doesn't make my arguments any less valid. Your tone has been less than pleasant too, and I don't know what your motivation is. > > They don't have unfixed security bugs since 2006 that we see upstream don't > care about (because they don't think it deserves to be fixed) due a comment > here in 2012 because you refrained to explain it when you saw the bug in > debian. > Well, it's not about "upstream doesn't care about it", it's about bad communication. My point about "oh, this has a bug, let's remove it" is how I feel, because that's what I see, we were never contacted and given the chance to fix things, then it was blamed on us not caring.
(In reply to comment #12) > (In reply to comment #11) > > > > It's not a joke, the idea is to remove it because of some reasons explained > > in bug report, not to "let's just remove it" like you said. There is an > > important difference. > > The reason was that it didn't connect (which was apparently a temporary > server issue) and as explained the 'security reasons' are ridiculous. > When I say "let's just remove it", I'm not saying you woke up some day and > thought it would be fun to remove it. What I mean by that is "there's an > issue, let's just remove it, instead of contacting the devs and trying to > resolve this properly". I find this very insulting and a lack of respect to > our years of work on the project. If you think it's "very insulting and a lack of respect" then, please, next time wait a bit before thinking that things because usually people has more important things to do than insult others and show lack of respect to a project. I really appreciate your work on getting amsn still working and maintained. > At least, someone (not you) had the decency of giving me the link to this > bug. > Fine, that is the reason why we wait 30 days before dropping it, and I also waited to start the process more than a month additional to that masking for removal. > > > > Maybe it's stable, but we (and fedora) are carrying patches from fixing v4l > > compatibility to fix libpng-1.5. I added the bug to remove it by reasons > > already explained multiple times, not because "it's stable". Please discuss > > seriously. > > What are these bugs? Do we need to chase around every distro and see which > patches they implement ? We were never notified of those bugs or given the > patches to review. There is a mailing list for a reason, so if you have to > keep carrying patches, that's your own fault for not communicating properly > with upstream. > No, it's your fault, your homepage points people to wrong place to report bugs: http://www.amsn-project.net/developer.php Fix that if you want distributions to report bugs to the place you want to get them instead of blaming on us for not knowing that your homepage is outdated and points people to sourceforge bug tracker instead. > > > > > Maybe you should have commented there instead of refraining because there is > > no need at all to "start a war" and calling others "stupid", you simply > > needed to kindly explain the situation there and you would probably > > prevented its removal there also. > > I would have if they had the decency of contacting us to discuss the issue, > but no, we found out that it was removed and we found that bug *months* > after it had gotten removed without giving us a chance to defend our > situation. > That's why I refrained from commenting, it wouldn't have helped in any way > as it was too late, and because the idea of asking for removal is not what's > bothering me, it's the fact that it gets removed without talking with us > about it first. > > > > > Simply re-read comment #2 to see the used tone there. > > I never said I wasn't angry, yes, I am angry, and for good reason, and > whatever tone I used, it doesn't make my arguments any less valid. Your tone > has been less than pleasant too, and I don't know what your motivation is. > My motivation is to clarify things to prevent you from thinking we wanted to drop amsn simply because we ware too lazy to fix that bugs. If this communication problem has caused all this problem and, also, a similar one time ago on Debian, maybe it's because you pointed people to wrong places (as I pointed above) to report bugs and contact you. > > > > They don't have unfixed security bugs since 2006 that we see upstream don't > > care about (because they don't think it deserves to be fixed) due a comment > > here in 2012 because you refrained to explain it when you saw the bug in > > debian. > > > Well, it's not about "upstream doesn't care about it", it's about bad > communication. My point about "oh, this has a bug, let's remove it" is how I > feel, because that's what I see, we were never contacted and given the > chance to fix things, then it was blamed on us not caring.
Please move this discussion to forums or mailing list or /dev/null. Bugzilla is not the place for that
