Package: ftp.debian.org
Severity: normal
X-Debbugs-Cc: mtecknology@debian.org

Despite the very occasional upstream commit/merge, the current upstream project
owner has made it clear (via email, issues [1], and action) that they don't
intend to maintain this project. The last upstream release was in 2019 and they
have indicated they don't plan to make any new releases.

This project is essentially dead and no longer suitable for inclusion in the
Debian archive... or for use on any system. This package should be removed and
anyone who was using it should find an alternative solution.

[1] https://github.com/rsnapshot/rsnapshot/issues/191#issuecomment-562460327

Thanks,

Please don't remove rsnapshot - it is a far too important package to lose.

IMHO the issue is really minor: rsnapshot is a stable software which had
very few changes over last several years.

Even if unmaintained upstream it will remain usable for years to come.

As a project we are perfectly capable to apply patches here and there, as
required even without upstream support.

Also I'm not aware of any conceptual alternatives to rsnapshot. In a sense
it is a unique software implementing a special (and extraordinary useful)
approach to backups.

Thanks.

---

A man who knows a subject thoroughly, a man so soaked in it that he eats
it, sleeps it and dreams it - this man can always teach it with success, no
matter how little he knows of technical pedagogy.
 -- H. L. Mencken

---

ZERO flu deaths reported during 2020-2021 season. Never in medical history
has an annual disease completely disappeared to be replaced by another one
with the exact same symptoms.

Of the 11 open PRs, several are marked as "needs tests", and all but
three look like new features, not bugfixes. Two of the three bug fixes
are for rsnapreport, a tool that to be blunt I don't think is very
important. One is for LVM- and BTRFS- specific issues so is hard for
people without a very specific configuration to test.

There are three broad themes in the open tickets.

1. help requests, which ought to be on the mailing list.

2. feature requests

3. minor problems with argument parsingin some unusual situations,
    especially when args contain whitespace.

The only one of those themes that is even slightly important is the
third, and they are mostly unfixable without breaking existing working
configurations.

Finally, the most recent release is almost completely up-to-date with
the master branch:

https://github.com/rsnapshot/rsnapshot/compare/HEAD..1.4.3

So what, exactly, is unmaintained about it? Looks to me like it has
exactly the amount of maintenance that is required for mature software.

I'm not going to strawman my justifications; it's not terribly relevant anyway.
Absolutely anyone is free to disagree with me and continue maintenance of the
package. If needed, I'll even sponsor the upload.

https://mentors.debian.net/intro-maintainers (read 1-2, start at 3)

Hi all,
for what it is worth, I am against removing rsnapshot from Debian. While
it is not actively developed anymore, it is stable software and as far I
know it has no know vulnerabilities (being a wrapper around rsync).

borg (or duplicity) is not an equivalent solution, and I really like to
continue using rsnapshot as-is on Debian (and other distro).

Thanks.

Removing an useful and stable software such as rsnapshot is not a good idea, IMHO.

Now Debian has a release with a useful package missing.  What ever
happened to orphaning a package if you didn't want to maintain it anymore?
I certainly see nothing that make the claim that it isn't suitable for
release justified.  It is working very well and does not appear to have
any serious bugs.  Good thing you didn't remove it from sid.  The removal
from bullseye was clearly wrong and unjustified.  Not the correct way
to handle a package (I am surprised it got removed in fact).

As for the idea restic is a useful replacement, not a chance.  That design
is way too complicated and they are not even at a release where they
declare the api or repo format stable.  rsnapshot nicely provides a
backup that you can look at with standard tools and recover things
however is most convinient.

And someone did just do some updates upstream and make a 1.4.4 release
a few days ago.

On Fri, 28 May 2021 15:39:28 -0500 Michael Lustfield
<michael@lustfield.net> wrote:
 > On Fri, 28 May 2021 19:56:47 +0100
 > David Cantrell <david@cantrell.org.uk> wrote:
 >
 > > [...]
 > > So what, exactly, is unmaintained about it? Looks to me like it has
 > > exactly the amount of maintenance that is required for mature software.
 >
 > I'm not going to strawman my justifications; it's not terribly
relevant anyway.
 > Absolutely anyone is free to disagree with me and continue
maintenance of the
 > package. If needed, I'll even sponsor the upload.
 >
 > https://mentors.debian.net/intro-maintainers (read 1-2, start at 3)
 >
 >

Hi Michael, I don't understand this. Wouldn't it be easier if you
orhpaned the package since it's already in stable?

Thanks,

Sam.

FYI linked issue and summary of issue from upstream perspective:
https://github.com/rsnapshot/rsnapshot/issues/279#issuecomment-860001348

Hi,

given that dirvish is still available in bullseye, although it's
unmaintained for more than 16(!) years now, it really makes me wonder
why rsnapshot has been removed. Please add it back, it's removal doesn't
make any sense.

Bye...

    Dirk

Upon upgrading my backup server tonight, I found that rsnapshot was
removed from Debian Bullseye.  In my opinion, this shouldn't have happened.

I currently use it for backups on my main production server, and even in
my previous Linux admin job, I had implemented it for company systems.
There is no practical alternative to it, it's just a wrapper around
rsync, nothing else works like that as far as I know.  I also noticed
that a newer version is in sid, couldn't that have been migrated to
testing and released?  I've been using it since 2014 (daily) as far as I
know.  I could look for alternatives, but it works too well in my opinion.

To add what I think is a very good point for this, I recently opened a
bug report for a package called statsvn, which didn't even work in both
stable and testing, apparently nobody even verified that it worked
before releasing it in Buster, it would fail with a java version check.
  Rsnapshot, a fine working package, was removed, but a perpetually
broken package wasn't.  Statsvn hasn't been released upstream for
apparently 11 years.  For now, I might see if I can use the sid version
on stable.

Hi,

I was also unpleasently surprised that rsnapshot is not in Bullseye and there's no mention of it in the release notes either. I don't how the process or rules in Debian are for such a case, but please find a way to either reintroduce rsnapshot into the stable distribution or at least provide a bullseye-backports package for it. It's simply a useful and mature piece of software.

Regards,

Timo

On Fri, 28 May 2021 15:39:28 -0500 Michael Lustfield
<michael@lustfield.net> wrote:
 > On Fri, 28 May 2021 19:56:47 +0100
 > David Cantrell <david@cantrell.org.uk> wrote:
 >
 > > [...]
 > > So what, exactly, is unmaintained about it? Looks to me like it has
 > > exactly the amount of maintenance that is required for mature software.
 >
 > I'm not going to strawman my justifications; it's not terribly
relevant anyway.
 > Absolutely anyone is free to disagree with me and continue
maintenance of the
 > package. If needed, I'll even sponsor the upload.
 >
 > https://mentors.debian.net/intro-maintainers (read 1-2, start at 3)
 >

 >

Michael,

I think it is important that you clarify or modify your stance given
that upon further inspection by others here, there are no serious
outstanding functional or security issues with the program. Even
self-asserted justification (i.e. "I just don't want to maintain it
anymore, so find someone else") is acceptable; that is your right as a
volunteer. But it would have been prudent to either defend your initial
assessment of the program as no longer suitable for inclusion, or
acknowledge that you may have been incorrect. Otherwise the issue is
just stuck in limbo.

Additionally, in response to this very bug, a new upstream release has
now been issued. In light of this, do you plan to upload the new version
and continue to fill the role of maintainer for the rsnapshot Debian
package, or is another maintainer still needed going forward?

I don't seek to impose anything upon you, I just want to see that this
doesn't fall through the cracks.

Thanks
John Brooks

So... My first response was a wordier version of the message you replied to,
emphasizing the bit where my opinion is moot. What's written below is as much
as I'm willing to dip back into #debiandrama. While reading, please remember
this point (and don't expect further response).


My original request was for a removal, which is a stance I whole-heartedly
still stand by, and which draws from experiences after adopting the package. A
removal like this is basically orphan++ ("I'm afk4eva" vs. "bad package"). That
changed slightly with zeha's bug modifications, but the effect is still largely
the same, with a touch of stability added. (Thanks zeha!)

(sensible action, but likely helps with that "limbo" perception?)
  ^ https://tracker.debian.org/pkg/rsnapshot

side note --

  > Additionally, in response to this very bug, a new upstream release has
  > now been issued. In light of this, do you plan to upload the new version

  You very correctly point out that a number of fixes and a new release came
  directly in response to certain actions. Unfortunately, we draw very different
  conclusions. (a hint, perhaps?)


I appreciate that you responded to that particular (#30) message of mine, where
I say that I don't intend to stand in anyone's way, and offered to help anyone
interested in package maintenance, while also maintaining my position. This is
important to me because some people have indeed taken a stab at rsnapshot
maintenance; however, they very quickly disappeared when they learned that it
would require more effort than just slapping an updated tarball onto the
packaging.

^ "continue" stopped at the RM-RoQA (note: this tag was not an accident)

The root of why I claim how I feel does not matter is because the end result is
the same. The only thing that's required to override my (strong) opinion is for
someone to pick it up, understand it well enough to confidently claim it's
ready for release (start w/ debian bugs), and that'll be the end of this thread.

Thank you for your reply. I admit I'm rather a dilettante in this area.
I'm only a user and have had little or no exposure to the Debian
development process. I didn't even see "RoQA" until you pointed it out,
and then had to look up what it means — "Requested by the QA team".

And that's about where my ability to contribute usefully ends. My belief
that the Debian organization and its contributors are generally
intelligent and sensible leads me to believe that you and the QA team
have good reasons for removing the package, even if I don't understand them.

I don't know precisely what criteria of stability and quality are used
to judge whether a package is suitable for inclusion; my outside view is
that this package is no more broken or unmaintained than the average
Debian package. The only bug of "serious" severity classification is
this one. But when my uninformed assessment is at odds with an actual
Debian maintainer, I have no choice but to assume that there is an
important factor which I am blind to. I understand that it's not your
responsibility to teach me just to satisfy my idle curiosity, so we can
leave it at that.

Thank you for your service.

John Brooks

John Brooks wrote:

Esp. when compared to dirvish (see my previous mail), which is
unmaintained for 16+ years, but still available in bullseye. What's the
point in keeping that one while at the same time removing rsnapshot,
which is unmaintained for just a handful of months now?

Bye...

    Dirk

See my note about whataboutisms and strawman arguments
... and thanks for highlighting a perfect example.

Note: This is a general response, not meant to address rsnapshot specifically.

My offer to mentor prospective debian maintainers stands. I might not be the
bestest teacher, but I can also teach people where to find smarter people to
teach smarter things. ;)

If you want to continue believing this, I encourage you to avoid any open
source development, especially WRT distributions. :P

Seriously, though... we're all just humans driven by various motives. Although
rare, changes like this /do/ sometimes come with malice. Other times it's best
of intentions, and sometimes those intentions are flawed.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964139
https://www.theverge.com/2021/4/22/22398156/university-minnesota-linux-kernal-ban-research
https://www.theregister.com/2021/06/16/debian_11/
https://arstechnica.com/information-technology/2015/05/debian-8-linuxs-most-reliable-distro-makes-its-biggest-change-since-1993/
^ one of these clearly intends to do harm

[ moving back to rsnapshot ]

There are definitely options; I'm just one person with an opinion. It's
entirely possible all of my previous reasoning has been permanently fixed and
I'm just too jaded to see that. If such a scenario were to be our present case,
then it would be very easy for someone else to just hop in, grab this, and
maintain (own) it indefinitely (... or until such time it must be retired).

  ^ This could be you, anyone that commented on this thread, etc.

If, however, my $super_notsosecret reasoning still holds water,
then... that won't be so easy and it becomes a self-solving problem.

It's actually very difficult for me to not launch into a long-winded rant, so
thank-you for prompting me to provide this additional explanation.

Cheers,

Hi Michael,
and
case,
so

I heard of this issue around rsnapshot in Debian in recent months from various
information sources. While I completely understand your opinion, this looks
like another unexpected consequence due to Debian's strong package maintenance
ownership. I am not against your decision, but I am wondering if the following
actions would work for you:

1) Package the latest rsnapshot release 1.4.4 as-is, but still keep this RC
bug open since it is not considered suitable for Stable release, or

2) Orphan package rsnapshot since you find this software not maintainable, or

3) Remove it from Debian archive as you originally planned.

My personal thought is that some actions would be better than getting stuck
here, and I am also interested in the next step. At least I believe doing
nothing does not fall into the category of package maintenance.

Thanks,
Boyuan Yang

Dear maintainer,

could you please give some hints, why you actually think the package is
unmaintainable or whre we can find information about this? This would be
usefull for everyone considering to adopt it.

Version 1.4.4-1

Hi,

With Michael's agreement, I have taken over maintaining rsnapshot. I have just
uploaded version 1.4.4-1.

Thanks.

Mark