| 1 |
On 03/01/17 14:57, Michael Mol wrote: |
| 2 |
> On Tuesday, January 3, 2017 9:24:19 AM EST Damien LEVAC wrote: |
| 3 |
>> On 01/03/2017 09:14 AM, Michael Mol wrote: |
| 4 |
>>> On Tuesday, January 3, 2017 12:05:10 PM EST Michał Górny wrote: |
| 5 |
>>>> On Tue, 3 Jan 2017 16:00:52 +0700 (+07) |
| 6 |
>>>> |
| 7 |
>>>> grozin@g.o wrote: |
| 8 |
>>>>> On Mon, 2 Jan 2017, Brian Evans wrote: |
| 9 |
>>>>>> IMO, this one should be given last-rites as upstream is dead and it |
| 10 |
>>>>>> heavily depends on wireless-tools and WEXT. |
| 11 |
>>>>> I use it on 2 notebooks. It works fine, and is (from my point of view) |
| 12 |
>>>>> the |
| 13 |
>>>>> most convenient tool to control ethernet and wifi connections on a |
| 14 |
>>>>> notebook. Why lastrite it when it works? |
| 15 |
>>>> This is the Gentoo Way™. Having a working software is not a goal. |
| 16 |
>>>> Gentoo focuses on the best bleeding edge experience and therefore |
| 17 |
>>>> highly relies on software packages that are under active development |
| 18 |
>>>> and require active maintenance. The packages in early stages of |
| 19 |
>>>> development are especially interesting since they can supply users |
| 20 |
>>>> and developers with variety of interesting bugs and unpredictable |
| 21 |
>>>> issues. |
| 22 |
>>> Do we have detailed treatise documenting the points and counterpoints to |
| 23 |
>>> "Why lastrite it when it works?" It's a question that comes up every |
| 24 |
>>> month or two, and the reasons, for and against, are probably mature |
| 25 |
>>> enough to get numbers, now. |
| 26 |
>>> |
| 27 |
>>> Reason #3 in favor: "It works for me" may only be valid from a particular |
| 28 |
>>> perspective. Without active maintenance, there may be subtle bugs that |
| 29 |
>>> aren't immediately obvious. Bugs that aren't immediately obvious aren't |
| 30 |
>>> always innocuous; sometimes they're insidious background data loss. Other |
| 31 |
>>> times, they might be security vulnerabilities no good guy has yet |
| 32 |
>>> noticed. |
| 33 |
>> ...and sometimes a package just stop being "actively" maintained because |
| 34 |
>> it is feature-complete (as far as the goals of the project were |
| 35 |
>> concerned) and just works. |
| 36 |
>> |
| 37 |
>> The minimum conditions to lastrite something should be not actively |
| 38 |
>> maintained _and_ with open bugs |
| 39 |
> What happens when the bugs exist, but nobody knows they're there? Let's say |
| 40 |
> someone got a copy of Coverity and ran it on long-stable, ridiculously mature |
| 41 |
> packages. They get a bunch of hits, but they keep it to themselves and instead |
| 42 |
> develop exploits for the bugs they found. |
| 43 |
> |
| 44 |
> For security's sake, even mature software needs, at minimum, routine auditing. |
| 45 |
> Unless someone's doing that work, the package should be considered for |
| 46 |
> removal. (Call that reason # π, in honor of TeX.) |
| 47 |
> |
| 48 |
> (I'm really not trying to start yet another massive thread on the subject, |
| 49 |
> hence my original question: Do we have a documented treatise on the question? |
| 50 |
> Not "Gentoo's Official Policy", but rather the rationales and counterpoints?) |
| 51 |
Possibly this page may help: |
| 52 |
|
| 53 |
https://wiki.gentoo.org/wiki/Project:Treecleaner/Policy |
| 54 |
|
| 55 |
Also |
| 56 |
|
| 57 |
https://wiki.gentoo.org/wiki/Project:Bug-cleaners |
| 58 |
|
| 59 |
is quite enlightening [having burnt my fingers on those]. |
Archives