1 |
On 03/01/17 14:57, Michael Mol wrote: |
2 |
> On Tuesday, January 3, 2017 9:24:19 AM EST Damien LEVAC wrote: |
3 |
>> On 01/03/2017 09:14 AM, Michael Mol wrote: |
4 |
>>> On Tuesday, January 3, 2017 12:05:10 PM EST Michał Górny wrote: |
5 |
>>>> On Tue, 3 Jan 2017 16:00:52 +0700 (+07) |
6 |
>>>> |
7 |
>>>> grozin@g.o wrote: |
8 |
>>>>> On Mon, 2 Jan 2017, Brian Evans wrote: |
9 |
>>>>>> IMO, this one should be given last-rites as upstream is dead and it |
10 |
>>>>>> heavily depends on wireless-tools and WEXT. |
11 |
>>>>> I use it on 2 notebooks. It works fine, and is (from my point of view) |
12 |
>>>>> the |
13 |
>>>>> most convenient tool to control ethernet and wifi connections on a |
14 |
>>>>> notebook. Why lastrite it when it works? |
15 |
>>>> This is the Gentoo Way™. Having a working software is not a goal. |
16 |
>>>> Gentoo focuses on the best bleeding edge experience and therefore |
17 |
>>>> highly relies on software packages that are under active development |
18 |
>>>> and require active maintenance. The packages in early stages of |
19 |
>>>> development are especially interesting since they can supply users |
20 |
>>>> and developers with variety of interesting bugs and unpredictable |
21 |
>>>> issues. |
22 |
>>> Do we have detailed treatise documenting the points and counterpoints to |
23 |
>>> "Why lastrite it when it works?" It's a question that comes up every |
24 |
>>> month or two, and the reasons, for and against, are probably mature |
25 |
>>> enough to get numbers, now. |
26 |
>>> |
27 |
>>> Reason #3 in favor: "It works for me" may only be valid from a particular |
28 |
>>> perspective. Without active maintenance, there may be subtle bugs that |
29 |
>>> aren't immediately obvious. Bugs that aren't immediately obvious aren't |
30 |
>>> always innocuous; sometimes they're insidious background data loss. Other |
31 |
>>> times, they might be security vulnerabilities no good guy has yet |
32 |
>>> noticed. |
33 |
>> ...and sometimes a package just stop being "actively" maintained because |
34 |
>> it is feature-complete (as far as the goals of the project were |
35 |
>> concerned) and just works. |
36 |
>> |
37 |
>> The minimum conditions to lastrite something should be not actively |
38 |
>> maintained _and_ with open bugs |
39 |
> What happens when the bugs exist, but nobody knows they're there? Let's say |
40 |
> someone got a copy of Coverity and ran it on long-stable, ridiculously mature |
41 |
> packages. They get a bunch of hits, but they keep it to themselves and instead |
42 |
> develop exploits for the bugs they found. |
43 |
> |
44 |
> For security's sake, even mature software needs, at minimum, routine auditing. |
45 |
> Unless someone's doing that work, the package should be considered for |
46 |
> removal. (Call that reason # π, in honor of TeX.) |
47 |
> |
48 |
> (I'm really not trying to start yet another massive thread on the subject, |
49 |
> hence my original question: Do we have a documented treatise on the question? |
50 |
> Not "Gentoo's Official Policy", but rather the rationales and counterpoints?) |
51 |
Possibly this page may help: |
52 |
|
53 |
https://wiki.gentoo.org/wiki/Project:Treecleaner/Policy |
54 |
|
55 |
Also |
56 |
|
57 |
https://wiki.gentoo.org/wiki/Project:Bug-cleaners |
58 |
|
59 |
is quite enlightening [having burnt my fingers on those]. |