| 1 |
Ühel kenal päeval, N, 05.01.2017 kell 22:00, kirjutas Daniel Campbell: |
| 2 |
> I'm in favor of keeping software around until it breaks. When there's |
| 3 |
> a |
| 4 |
> non-existent upstream and nobody's willing to take up the helm |
| 5 |
> themselves, it's a clear indication that it's in danger of being |
| 6 |
> treecleaned. In some cases that's good; some packages get left behind |
| 7 |
> and never updated, CVEs get released, |
| 8 |
|
| 9 |
CVEs don't get released about dead packages that no-one cares about or |
| 10 |
has installed as no-one is checking them for bugs and evaluating if |
| 11 |
they are security bugs. They just sit there, potentially providing a |
| 12 |
nice potential security hole to abuse. |
| 13 |
|
| 14 |
> nobody cares about the package and |
| 15 |
> it sits masked for a while. Those are the packages we should consider |
| 16 |
> for treecleaning, not just "oh it's been 2 years since a release" or |
| 17 |
> "upstream website troubles". |
| 18 |
> |
| 19 |
> On the latter count, does anyone attempt to reach upstream before |
| 20 |
> suggesting we get rid of the package(s)? Is there not some forum we |
| 21 |
> can |
| 22 |
> use to reach users who may be interested in proxy-maintaining it? |
| 23 |
> This |
| 24 |
> discussion makes me wonder if we need (more) formal guidelines for |
| 25 |
> treecleaning. I think we've got a few people who are eager to clean |
| 26 |
> the |
| 27 |
> tree -- and their goal is admirable -- but until we can get metrics |
| 28 |
> on |
| 29 |
> who's using what, it's hard to say how much damage removing a package |
| 30 |
> will do for users. A thread on gentoo-user re: lastrites might not be |
| 31 |
> a |
| 32 |
> bad idea. |
| 33 |
|
| 34 |
The package.masked message that is shown to a user having it installed |
| 35 |
is supposed to be providing that forum to potential proxy-maintainers |
| 36 |
and such, to step up and fix things within that period and save it from |
| 37 |
permanent deletion. |
| 38 |
That's the reason we just don't outright delete them immediately, but |
| 39 |
do this "last rited, deletion in 30 days" dance. Even though the |
| 40 |
message doesn't repeatedly say this for all the p.mask descriptions |
| 41 |
(but maybe the package manager stock extra text does, or should). |
| 42 |
|
| 43 |
And ultimately things can be added back, when sensible, e.g a new |
| 44 |
upstream appears that fixes issues, or whatever. Perhaps this user |
| 45 |
interested in it enough to care deeply about it being remove from |
| 46 |
Gentoo is interested enough to become that upstream or chase down |
| 47 |
someone who is willing to, or provide motivation to the old upstream, |
| 48 |
or... |
Archives