1 |
On Tuesday, January 3, 2017 9:24:19 AM EST Damien LEVAC wrote: |
2 |
> On 01/03/2017 09:14 AM, Michael Mol wrote: |
3 |
> > On Tuesday, January 3, 2017 12:05:10 PM EST Michał Górny wrote: |
4 |
> >> On Tue, 3 Jan 2017 16:00:52 +0700 (+07) |
5 |
> >> |
6 |
> >> grozin@g.o wrote: |
7 |
> >>> On Mon, 2 Jan 2017, Brian Evans wrote: |
8 |
> >>>> IMO, this one should be given last-rites as upstream is dead and it |
9 |
> >>>> heavily depends on wireless-tools and WEXT. |
10 |
> >>> |
11 |
> >>> I use it on 2 notebooks. It works fine, and is (from my point of view) |
12 |
> >>> the |
13 |
> >>> most convenient tool to control ethernet and wifi connections on a |
14 |
> >>> notebook. Why lastrite it when it works? |
15 |
> >> |
16 |
> >> This is the Gentoo Way™. Having a working software is not a goal. |
17 |
> >> Gentoo focuses on the best bleeding edge experience and therefore |
18 |
> >> highly relies on software packages that are under active development |
19 |
> >> and require active maintenance. The packages in early stages of |
20 |
> >> development are especially interesting since they can supply users |
21 |
> >> and developers with variety of interesting bugs and unpredictable |
22 |
> >> issues. |
23 |
> > |
24 |
> > Do we have detailed treatise documenting the points and counterpoints to |
25 |
> > "Why lastrite it when it works?" It's a question that comes up every |
26 |
> > month or two, and the reasons, for and against, are probably mature |
27 |
> > enough to get numbers, now. |
28 |
> > |
29 |
> > Reason #3 in favor: "It works for me" may only be valid from a particular |
30 |
> > perspective. Without active maintenance, there may be subtle bugs that |
31 |
> > aren't immediately obvious. Bugs that aren't immediately obvious aren't |
32 |
> > always innocuous; sometimes they're insidious background data loss. Other |
33 |
> > times, they might be security vulnerabilities no good guy has yet |
34 |
> > noticed. |
35 |
> |
36 |
> ...and sometimes a package just stop being "actively" maintained because |
37 |
> it is feature-complete (as far as the goals of the project were |
38 |
> concerned) and just works. |
39 |
> |
40 |
> The minimum conditions to lastrite something should be not actively |
41 |
> maintained _and_ with open bugs |
42 |
|
43 |
What happens when the bugs exist, but nobody knows they're there? Let's say |
44 |
someone got a copy of Coverity and ran it on long-stable, ridiculously mature |
45 |
packages. They get a bunch of hits, but they keep it to themselves and instead |
46 |
develop exploits for the bugs they found. |
47 |
|
48 |
For security's sake, even mature software needs, at minimum, routine auditing. |
49 |
Unless someone's doing that work, the package should be considered for |
50 |
removal. (Call that reason # π, in honor of TeX.) |
51 |
|
52 |
(I'm really not trying to start yet another massive thread on the subject, |
53 |
hence my original question: Do we have a documented treatise on the question? |
54 |
Not "Gentoo's Official Policy", but rather the rationales and counterpoints?) |