| 1 |
>>>>> "BdG" == Ben de Groot <yngwin@g.o> writes: |
| 2 |
|
| 3 |
BdG> On 14 March 2010 06:09, James Cloos <cloos@×××××××.com> wrote: |
| 4 |
>>>>>>> "BdG" == Ben de Groot <yngwin@g.o> writes: |
| 5 |
>> |
| 6 |
BdG> Abandoned packages do not belong in the portage tree. |
| 7 |
>> |
| 8 |
>> Nonsense. That attitude only servers to harm the user base. |
| 9 |
|
| 10 |
BdG> You're wrong. It serves to protect our users from potentially |
| 11 |
BdG> broken and vulnerable packages. |
| 12 |
|
| 13 |
Any user who needs *that* much hand-holding will use a binary dist, |
| 14 |
not a source dist. |
| 15 |
|
| 16 |
BdG> It ascertains a Quality Assurance level that we and our users can |
| 17 |
BdG> be comfortable with. |
| 18 |
|
| 19 |
No, it does not. The user base for a build-locally-from-source dist |
| 20 |
wants wider access, not just a few packages. |
| 21 |
|
| 22 |
>> Leaving them in does not. |
| 23 |
|
| 24 |
BdG> It does, as it opens the users up to unknown security |
| 25 |
BdG> vulnerabilities and increasing brokenness as bugs are |
| 26 |
BdG> not addressed. |
| 27 |
|
| 28 |
Removing the ebuilds does not help that even one bit. IF they do not |
| 29 |
use those programs, they are not harmed even if there is some (real) |
| 30 |
vulnerability -- and don't forget that most of the vulnerability claims |
| 31 |
are for things which will never happen in practice. (Which is not to |
| 32 |
suggest that upstreams shouldn't code defensively, just that not every |
| 33 |
warning is critical enough to loose sleep over.) |
| 34 |
|
| 35 |
BdG> If Gentoo would stop caring about QA, then we'd be wasting |
| 36 |
BdG> our time working on making this a better distro. |
| 37 |
|
| 38 |
Removing ebuilds is not in itself QA. It does not in itself improve |
| 39 |
quality. There has to be a real reason to remove. |
| 40 |
|
| 41 |
Removing a leaf package which has been replaced by its upstream, whether |
| 42 |
by a simple rename or by a complete re-implementation or anywhere |
| 43 |
inbetween, is a good call. |
| 44 |
|
| 45 |
Removing a widely-used, well-designed and well-managed library and |
| 46 |
everything which depends on it, just because upstream has stopped |
| 47 |
dealing with bug reports against that version, is not. The likelyhood |
| 48 |
that any significant issues remain in qt3 is small. The relevant apps |
| 49 |
work, have been working and will continue to work. |
| 50 |
|
| 51 |
I will not begrudge the kde team for wanting to support only kde4. |
| 52 |
|
| 53 |
Dropping kde3 in favour of kde4 is just an upgrade. |
| 54 |
|
| 55 |
But dropping qt3 even though packages exist which depend on it and have |
| 56 |
not been ported to qt4 (and it *is* a /port/, *not* an /upgrade/) is |
| 57 |
simply the wrong thing to do. |
| 58 |
|
| 59 |
It is also OK to mask -- but not necessarily remove -- a package with a |
| 60 |
truly exploitable bug; moreso if the package is itself security-related. |
| 61 |
That means real exploits in the wild, real attempts to do harm. |
| 62 |
|
| 63 |
The so-called qa team has been acting too robotically. It needs to show |
| 64 |
more common sense and better judgement. Worry about the real problems, |
| 65 |
not the trivial. Work to fix packages, not to murder them. |
| 66 |
|
| 67 |
-JimC |
| 68 |
-- |
| 69 |
James Cloos <cloos@×××××××.com> OpenPGP: 1024D/ED7DAEA6 |
Archives