1 |
Ühel kenal päeval, N, 05.01.2017 kell 22:00, kirjutas Daniel Campbell: |
2 |
> I'm in favor of keeping software around until it breaks. When there's |
3 |
> a |
4 |
> non-existent upstream and nobody's willing to take up the helm |
5 |
> themselves, it's a clear indication that it's in danger of being |
6 |
> treecleaned. In some cases that's good; some packages get left behind |
7 |
> and never updated, CVEs get released, |
8 |
|
9 |
CVEs don't get released about dead packages that no-one cares about or |
10 |
has installed as no-one is checking them for bugs and evaluating if |
11 |
they are security bugs. They just sit there, potentially providing a |
12 |
nice potential security hole to abuse. |
13 |
|
14 |
> nobody cares about the package and |
15 |
> it sits masked for a while. Those are the packages we should consider |
16 |
> for treecleaning, not just "oh it's been 2 years since a release" or |
17 |
> "upstream website troubles". |
18 |
> |
19 |
> On the latter count, does anyone attempt to reach upstream before |
20 |
> suggesting we get rid of the package(s)? Is there not some forum we |
21 |
> can |
22 |
> use to reach users who may be interested in proxy-maintaining it? |
23 |
> This |
24 |
> discussion makes me wonder if we need (more) formal guidelines for |
25 |
> treecleaning. I think we've got a few people who are eager to clean |
26 |
> the |
27 |
> tree -- and their goal is admirable -- but until we can get metrics |
28 |
> on |
29 |
> who's using what, it's hard to say how much damage removing a package |
30 |
> will do for users. A thread on gentoo-user re: lastrites might not be |
31 |
> a |
32 |
> bad idea. |
33 |
|
34 |
The package.masked message that is shown to a user having it installed |
35 |
is supposed to be providing that forum to potential proxy-maintainers |
36 |
and such, to step up and fix things within that period and save it from |
37 |
permanent deletion. |
38 |
That's the reason we just don't outright delete them immediately, but |
39 |
do this "last rited, deletion in 30 days" dance. Even though the |
40 |
message doesn't repeatedly say this for all the p.mask descriptions |
41 |
(but maybe the package manager stock extra text does, or should). |
42 |
|
43 |
And ultimately things can be added back, when sensible, e.g a new |
44 |
upstream appears that fixes issues, or whatever. Perhaps this user |
45 |
interested in it enough to care deeply about it being remove from |
46 |
Gentoo is interested enough to become that upstream or chase down |
47 |
someone who is willing to, or provide motivation to the old upstream, |
48 |
or... |