| 1 |
On Fri, Jul 8, 2016 at 2:50 PM, Alec Warner <antarus@g.o> wrote: |
| 2 |
|
| 3 |
> |
| 4 |
> |
| 5 |
> On Fri, Jul 8, 2016 at 1:21 PM, Philip Webb <purslow@××××××××.net> wrote: |
| 6 |
> |
| 7 |
>> 160708 William Hubbs wrote: |
| 8 |
>> > On Fri, Jul 08, 2016 at 05:56:04PM +0300, Andrew Savchenko wrote: |
| 9 |
>> >> IMO the criteria should be whether they work or not, |
| 10 |
>> >> not whether upstream is more or less active. |
| 11 |
>> >> If they're blockers on other work, by all means cull them. |
| 12 |
>> >> However, if the biggest problem with them is |
| 13 |
>> >> that they're using a few inodes in the repo, they should probably stay. |
| 14 |
>> > There is an overlay for packages that are removed from the official tree |
| 15 |
>> > -- https://github.com/gentoo/graveyard -- |
| 16 |
>> > and that is where old software should go, |
| 17 |
>> > if it doesn't have an active maintainer. |
| 18 |
>> |
| 19 |
>> A lot of this lengthy discussion is missing some basic points, |
| 20 |
>> though a few people have mentioned them in passing. |
| 21 |
>> As someone who has used Gentoo exclusively since 2003 |
| 22 |
>> & who raised the objections to removal of Xcdroast + Nethack, |
| 23 |
>> let me try to get you all to focus on the real-life issues. |
| 24 |
>> |
| 25 |
>> (1) The fact that a pkg has little or no upstream support |
| 26 |
>> or that it doesn't have an active Gentoo maintainer |
| 27 |
>> is not a reason for removing it from the regular tree. |
| 28 |
>> |
| 29 |
> |
| 30 |
> So basically what you are advocating for is: |
| 31 |
> |
| 32 |
> "Having completely unmaintained packages in the tree is OK." |
| 33 |
> |
| 34 |
> And honestly, I do not buy that premise. |
| 35 |
> |
| 36 |
> |
| 37 |
>> |
| 38 |
>> One basic reason some software is no longer being actively developed |
| 39 |
>> is simply that they work perfectly well as they now are, |
| 40 |
>> eg the file manager Krusader & the desktop manager Fluxbox : |
| 41 |
>> both of these are very useful & have no drop-in replacements, |
| 42 |
>> but very little development has occurred for several years. |
| 43 |
>> The same is true of Xcdroast & Nethack, which have been threatened, |
| 44 |
>> but which have been rescued after some small patches have been applied. |
| 45 |
>> This is likely to be true of more + more pkgs, as time passes : |
| 46 |
>> even changes in the kernel these days rarely affect desktop users. |
| 47 |
>> |
| 48 |
> |
| 49 |
> No one is trying to remove flubox (which had a release in 2015 and had |
| 50 |
> activity in its git repo as recently as last week.) |
| 51 |
> |
| 52 |
> Xcdroast for example, hasn't had a release in 8 years and I can't even |
| 53 |
> find its source tracker in sourceforge. These are the sorts of packages |
| 54 |
> that I think are not great to have in the tree and for Xcdroast, if I were |
| 55 |
> treecleaner lead i would probably advocate for working around the security |
| 56 |
> bug (dropped SUID) instead of removal. I do not necessarily want to remove |
| 57 |
> software that people are using. |
| 58 |
> |
| 59 |
> That being said, I do not want unmaintained software in the tree either. |
| 60 |
> |
| 61 |
> |
| 62 |
>> |
| 63 |
>> (2) There are 3 basic categories of Gentoo user : |
| 64 |
>> (a) server-farm managers, (b) multi-user sysadmins, (c) single-users. |
| 65 |
>> Each of these have different security concerns : |
| 66 |
>> (a) need to be alert to the many threats from all over the Internet ; |
| 67 |
>> (b) need (among other things) to prevent privilege escalation ; |
| 68 |
>> (c) are largely immune to those types of threat, |
| 69 |
>> though a few of the Internet variety can affect them. |
| 70 |
>> |
| 71 |
> |
| 72 |
> I appreciate the argument you are trying to make; but i do not think it |
| 73 |
> really drives Gentoo Security Policy (nor should it.) |
| 74 |
> |
| 75 |
> As my security manager used to say "security is not a race to the bottom." |
| 76 |
> |
| 77 |
> |
| 78 |
>> |
| 79 |
>> The security objections raised against Xcdroast + Nethack |
| 80 |
>> were both problems which would arise only on multi-user systems, |
| 81 |
>> yet single-users were also to be deprived of access to them. |
| 82 |
>> Perhaps part of the problem is that many Gentoo developers |
| 83 |
>> also earn their livings as sysadmins with many users or many servers : |
| 84 |
>> the simpler happier world of single-users escapes their attention. |
| 85 |
>> |
| 86 |
>> (3) Users generally don't want to be developers : they're too busy or too |
| 87 |
>> old. |
| 88 |
>> Asking them "Are you willing to maintain it yourself ?" is a silly excuse |
| 89 |
>> ; |
| 90 |
>> offering them the chance to dig around in a graveyard is even worse ; |
| 91 |
>> even maintaining an overlay is a nuisance : I tried it with KDE Sunset. |
| 92 |
>> Neither Xcdroast nor Nethack belong in a graveyard of any kind : |
| 93 |
>> once the obscure security problems have been fixed, |
| 94 |
>> they belong in the regular tree marked 'stable', |
| 95 |
>> like many other pkgs whose development has been completed. |
| 96 |
>> |
| 97 |
>> Users all do -- or should -- appreciate the unpaid work of the developers, |
| 98 |
>> but developers also need to realise that without non-developer users |
| 99 |
>> Gentoo would very quickly die & their justified pride + satisfaction die |
| 100 |
>> too. |
| 101 |
>> |
| 102 |
> |
| 103 |
> I'm a bit confused by this argument. |
| 104 |
> |
| 105 |
> 1) It appears that no Gentoo developers want to maintain a software |
| 106 |
> package. |
| 107 |
> 2) The software package has no active upstream. |
| 108 |
> 3) The software has no bugs. |
| 109 |
> |
| 110 |
|
| 111 |
Sorry, in my argument the package has open bugs, I mis-typed ;) |
| 112 |
|
| 113 |
|
| 114 |
> 4) We mask the software because it has bugs and no active maintianer, for |
| 115 |
> years. |
| 116 |
> 5) No one volunteers to proxy-maintain the software. |
| 117 |
> |
| 118 |
> But you advocate we keep such software in the tree, because users are "too |
| 119 |
> busy" or "too old" to maintain it themselves? |
| 120 |
> |
| 121 |
> |
| 122 |
>> |
| 123 |
>> (4) I have 3 simple recommendations to fix the everyday problems. |
| 124 |
>> |
| 125 |
>> (a) the justification for tree-cleaning should be explicitly |
| 126 |
>> that a pkg either (i) won't compile, (ii) crashes when run |
| 127 |
>> or (iii) has a serious security hole which affects all 3 types of user. |
| 128 |
>> |
| 129 |
> |
| 130 |
>> (b) there needs to be a developer role 'General Maintainer', |
| 131 |
>> who should be available to look at pkgs which have no regular maintainer, |
| 132 |
>> but which compile, run properly & are generally secure : |
| 133 |
>> their job would be to step in, like Mr Savchenko -- thanks again -- , |
| 134 |
>> to fix small problems which would otherwise be neglected ; |
| 135 |
>> less formally, all developers might see it as part of their role |
| 136 |
>> to help out occasionally with such small problems. |
| 137 |
>> |
| 138 |
> |
| 139 |
> In an ideal world, the tree would be full of properly maintained packages. |
| 140 |
> |
| 141 |
> There are over 1500 packages in the tree in the 'maintainer-needed' |
| 142 |
> state[1]. |
| 143 |
> |
| 144 |
> Even if we allocated 100 packages per developer, this "General Maintainer" |
| 145 |
> team would be 15 developers strong and one of the largest projects in |
| 146 |
> Gentoo. To compare the Treecleaner project is 7 people; the Security |
| 147 |
> project is 10 people. |
| 148 |
> |
| 149 |
> This is in fact part of the rationale of the Treecleaner project itself. |
| 150 |
> Ebuilds require maintenance (eclass updates, new EAPIs, etc) and someone |
| 151 |
> has to do this work (or we end up with 6 supports EAPIs in the tree.) This |
| 152 |
> is one reason why packages that are unmaintained are removed; we do not |
| 153 |
> have 15 spare humans to clean up the unmaintained packages, so we remove |
| 154 |
> them when it is feasible to do so. |
| 155 |
> |
| 156 |
> |
| 157 |
>> (c) Gentoo's rules + policies need explicitly to reflect the fact |
| 158 |
>> that there are 3 types of user, as described : |
| 159 |
>> eg some pkgs might be marked as 'not safe for multi-user systems' ; |
| 160 |
>> that would recognise real distinctions which are now being ignored. |
| 161 |
>> |
| 162 |
>> HTH & thanks as always to all of you for making Gentoo work since 2003. |
| 163 |
>> |
| 164 |
> |
| 165 |
> |
| 166 |
> [1] https://qa-reports.gentoo.org/output/maintainer-needed.html |
| 167 |
> |
| 168 |
> |
| 169 |
>> |
| 170 |
>> -- |
| 171 |
>> ========================,,============================================ |
| 172 |
>> SUPPORT ___________//___, Philip Webb |
| 173 |
>> ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto |
| 174 |
>> TRANSIT `-O----------O---' purslowatchassdotutorontodotca |
| 175 |
>> |
| 176 |
>> |
| 177 |
>> |
| 178 |
> |
Archives