1 |
On Fri, Jul 8, 2016 at 2:50 PM, Alec Warner <antarus@g.o> wrote: |
2 |
|
3 |
> |
4 |
> |
5 |
> On Fri, Jul 8, 2016 at 1:21 PM, Philip Webb <purslow@××××××××.net> wrote: |
6 |
> |
7 |
>> 160708 William Hubbs wrote: |
8 |
>> > On Fri, Jul 08, 2016 at 05:56:04PM +0300, Andrew Savchenko wrote: |
9 |
>> >> IMO the criteria should be whether they work or not, |
10 |
>> >> not whether upstream is more or less active. |
11 |
>> >> If they're blockers on other work, by all means cull them. |
12 |
>> >> However, if the biggest problem with them is |
13 |
>> >> that they're using a few inodes in the repo, they should probably stay. |
14 |
>> > There is an overlay for packages that are removed from the official tree |
15 |
>> > -- https://github.com/gentoo/graveyard -- |
16 |
>> > and that is where old software should go, |
17 |
>> > if it doesn't have an active maintainer. |
18 |
>> |
19 |
>> A lot of this lengthy discussion is missing some basic points, |
20 |
>> though a few people have mentioned them in passing. |
21 |
>> As someone who has used Gentoo exclusively since 2003 |
22 |
>> & who raised the objections to removal of Xcdroast + Nethack, |
23 |
>> let me try to get you all to focus on the real-life issues. |
24 |
>> |
25 |
>> (1) The fact that a pkg has little or no upstream support |
26 |
>> or that it doesn't have an active Gentoo maintainer |
27 |
>> is not a reason for removing it from the regular tree. |
28 |
>> |
29 |
> |
30 |
> So basically what you are advocating for is: |
31 |
> |
32 |
> "Having completely unmaintained packages in the tree is OK." |
33 |
> |
34 |
> And honestly, I do not buy that premise. |
35 |
> |
36 |
> |
37 |
>> |
38 |
>> One basic reason some software is no longer being actively developed |
39 |
>> is simply that they work perfectly well as they now are, |
40 |
>> eg the file manager Krusader & the desktop manager Fluxbox : |
41 |
>> both of these are very useful & have no drop-in replacements, |
42 |
>> but very little development has occurred for several years. |
43 |
>> The same is true of Xcdroast & Nethack, which have been threatened, |
44 |
>> but which have been rescued after some small patches have been applied. |
45 |
>> This is likely to be true of more + more pkgs, as time passes : |
46 |
>> even changes in the kernel these days rarely affect desktop users. |
47 |
>> |
48 |
> |
49 |
> No one is trying to remove flubox (which had a release in 2015 and had |
50 |
> activity in its git repo as recently as last week.) |
51 |
> |
52 |
> Xcdroast for example, hasn't had a release in 8 years and I can't even |
53 |
> find its source tracker in sourceforge. These are the sorts of packages |
54 |
> that I think are not great to have in the tree and for Xcdroast, if I were |
55 |
> treecleaner lead i would probably advocate for working around the security |
56 |
> bug (dropped SUID) instead of removal. I do not necessarily want to remove |
57 |
> software that people are using. |
58 |
> |
59 |
> That being said, I do not want unmaintained software in the tree either. |
60 |
> |
61 |
> |
62 |
>> |
63 |
>> (2) There are 3 basic categories of Gentoo user : |
64 |
>> (a) server-farm managers, (b) multi-user sysadmins, (c) single-users. |
65 |
>> Each of these have different security concerns : |
66 |
>> (a) need to be alert to the many threats from all over the Internet ; |
67 |
>> (b) need (among other things) to prevent privilege escalation ; |
68 |
>> (c) are largely immune to those types of threat, |
69 |
>> though a few of the Internet variety can affect them. |
70 |
>> |
71 |
> |
72 |
> I appreciate the argument you are trying to make; but i do not think it |
73 |
> really drives Gentoo Security Policy (nor should it.) |
74 |
> |
75 |
> As my security manager used to say "security is not a race to the bottom." |
76 |
> |
77 |
> |
78 |
>> |
79 |
>> The security objections raised against Xcdroast + Nethack |
80 |
>> were both problems which would arise only on multi-user systems, |
81 |
>> yet single-users were also to be deprived of access to them. |
82 |
>> Perhaps part of the problem is that many Gentoo developers |
83 |
>> also earn their livings as sysadmins with many users or many servers : |
84 |
>> the simpler happier world of single-users escapes their attention. |
85 |
>> |
86 |
>> (3) Users generally don't want to be developers : they're too busy or too |
87 |
>> old. |
88 |
>> Asking them "Are you willing to maintain it yourself ?" is a silly excuse |
89 |
>> ; |
90 |
>> offering them the chance to dig around in a graveyard is even worse ; |
91 |
>> even maintaining an overlay is a nuisance : I tried it with KDE Sunset. |
92 |
>> Neither Xcdroast nor Nethack belong in a graveyard of any kind : |
93 |
>> once the obscure security problems have been fixed, |
94 |
>> they belong in the regular tree marked 'stable', |
95 |
>> like many other pkgs whose development has been completed. |
96 |
>> |
97 |
>> Users all do -- or should -- appreciate the unpaid work of the developers, |
98 |
>> but developers also need to realise that without non-developer users |
99 |
>> Gentoo would very quickly die & their justified pride + satisfaction die |
100 |
>> too. |
101 |
>> |
102 |
> |
103 |
> I'm a bit confused by this argument. |
104 |
> |
105 |
> 1) It appears that no Gentoo developers want to maintain a software |
106 |
> package. |
107 |
> 2) The software package has no active upstream. |
108 |
> 3) The software has no bugs. |
109 |
> |
110 |
|
111 |
Sorry, in my argument the package has open bugs, I mis-typed ;) |
112 |
|
113 |
|
114 |
> 4) We mask the software because it has bugs and no active maintianer, for |
115 |
> years. |
116 |
> 5) No one volunteers to proxy-maintain the software. |
117 |
> |
118 |
> But you advocate we keep such software in the tree, because users are "too |
119 |
> busy" or "too old" to maintain it themselves? |
120 |
> |
121 |
> |
122 |
>> |
123 |
>> (4) I have 3 simple recommendations to fix the everyday problems. |
124 |
>> |
125 |
>> (a) the justification for tree-cleaning should be explicitly |
126 |
>> that a pkg either (i) won't compile, (ii) crashes when run |
127 |
>> or (iii) has a serious security hole which affects all 3 types of user. |
128 |
>> |
129 |
> |
130 |
>> (b) there needs to be a developer role 'General Maintainer', |
131 |
>> who should be available to look at pkgs which have no regular maintainer, |
132 |
>> but which compile, run properly & are generally secure : |
133 |
>> their job would be to step in, like Mr Savchenko -- thanks again -- , |
134 |
>> to fix small problems which would otherwise be neglected ; |
135 |
>> less formally, all developers might see it as part of their role |
136 |
>> to help out occasionally with such small problems. |
137 |
>> |
138 |
> |
139 |
> In an ideal world, the tree would be full of properly maintained packages. |
140 |
> |
141 |
> There are over 1500 packages in the tree in the 'maintainer-needed' |
142 |
> state[1]. |
143 |
> |
144 |
> Even if we allocated 100 packages per developer, this "General Maintainer" |
145 |
> team would be 15 developers strong and one of the largest projects in |
146 |
> Gentoo. To compare the Treecleaner project is 7 people; the Security |
147 |
> project is 10 people. |
148 |
> |
149 |
> This is in fact part of the rationale of the Treecleaner project itself. |
150 |
> Ebuilds require maintenance (eclass updates, new EAPIs, etc) and someone |
151 |
> has to do this work (or we end up with 6 supports EAPIs in the tree.) This |
152 |
> is one reason why packages that are unmaintained are removed; we do not |
153 |
> have 15 spare humans to clean up the unmaintained packages, so we remove |
154 |
> them when it is feasible to do so. |
155 |
> |
156 |
> |
157 |
>> (c) Gentoo's rules + policies need explicitly to reflect the fact |
158 |
>> that there are 3 types of user, as described : |
159 |
>> eg some pkgs might be marked as 'not safe for multi-user systems' ; |
160 |
>> that would recognise real distinctions which are now being ignored. |
161 |
>> |
162 |
>> HTH & thanks as always to all of you for making Gentoo work since 2003. |
163 |
>> |
164 |
> |
165 |
> |
166 |
> [1] https://qa-reports.gentoo.org/output/maintainer-needed.html |
167 |
> |
168 |
> |
169 |
>> |
170 |
>> -- |
171 |
>> ========================,,============================================ |
172 |
>> SUPPORT ___________//___, Philip Webb |
173 |
>> ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto |
174 |
>> TRANSIT `-O----------O---' purslowatchassdotutorontodotca |
175 |
>> |
176 |
>> |
177 |
>> |
178 |
> |