| 1 |
On Tuesday, January 3, 2017 9:24:19 AM EST Damien LEVAC wrote: |
| 2 |
> On 01/03/2017 09:14 AM, Michael Mol wrote: |
| 3 |
> > On Tuesday, January 3, 2017 12:05:10 PM EST Michał Górny wrote: |
| 4 |
> >> On Tue, 3 Jan 2017 16:00:52 +0700 (+07) |
| 5 |
> >> |
| 6 |
> >> grozin@g.o wrote: |
| 7 |
> >>> On Mon, 2 Jan 2017, Brian Evans wrote: |
| 8 |
> >>>> IMO, this one should be given last-rites as upstream is dead and it |
| 9 |
> >>>> heavily depends on wireless-tools and WEXT. |
| 10 |
> >>> |
| 11 |
> >>> I use it on 2 notebooks. It works fine, and is (from my point of view) |
| 12 |
> >>> the |
| 13 |
> >>> most convenient tool to control ethernet and wifi connections on a |
| 14 |
> >>> notebook. Why lastrite it when it works? |
| 15 |
> >> |
| 16 |
> >> This is the Gentoo Way™. Having a working software is not a goal. |
| 17 |
> >> Gentoo focuses on the best bleeding edge experience and therefore |
| 18 |
> >> highly relies on software packages that are under active development |
| 19 |
> >> and require active maintenance. The packages in early stages of |
| 20 |
> >> development are especially interesting since they can supply users |
| 21 |
> >> and developers with variety of interesting bugs and unpredictable |
| 22 |
> >> issues. |
| 23 |
> > |
| 24 |
> > Do we have detailed treatise documenting the points and counterpoints to |
| 25 |
> > "Why lastrite it when it works?" It's a question that comes up every |
| 26 |
> > month or two, and the reasons, for and against, are probably mature |
| 27 |
> > enough to get numbers, now. |
| 28 |
> > |
| 29 |
> > Reason #3 in favor: "It works for me" may only be valid from a particular |
| 30 |
> > perspective. Without active maintenance, there may be subtle bugs that |
| 31 |
> > aren't immediately obvious. Bugs that aren't immediately obvious aren't |
| 32 |
> > always innocuous; sometimes they're insidious background data loss. Other |
| 33 |
> > times, they might be security vulnerabilities no good guy has yet |
| 34 |
> > noticed. |
| 35 |
> |
| 36 |
> ...and sometimes a package just stop being "actively" maintained because |
| 37 |
> it is feature-complete (as far as the goals of the project were |
| 38 |
> concerned) and just works. |
| 39 |
> |
| 40 |
> The minimum conditions to lastrite something should be not actively |
| 41 |
> maintained _and_ with open bugs |
| 42 |
|
| 43 |
What happens when the bugs exist, but nobody knows they're there? Let's say |
| 44 |
someone got a copy of Coverity and ran it on long-stable, ridiculously mature |
| 45 |
packages. They get a bunch of hits, but they keep it to themselves and instead |
| 46 |
develop exploits for the bugs they found. |
| 47 |
|
| 48 |
For security's sake, even mature software needs, at minimum, routine auditing. |
| 49 |
Unless someone's doing that work, the package should be considered for |
| 50 |
removal. (Call that reason # π, in honor of TeX.) |
| 51 |
|
| 52 |
(I'm really not trying to start yet another massive thread on the subject, |
| 53 |
hence my original question: Do we have a documented treatise on the question? |
| 54 |
Not "Gentoo's Official Policy", but rather the rationales and counterpoints?) |
Archives