1 |
>>>>> "BdG" == Ben de Groot <yngwin@g.o> writes: |
2 |
|
3 |
BdG> On 14 March 2010 06:09, James Cloos <cloos@×××××××.com> wrote: |
4 |
>>>>>>> "BdG" == Ben de Groot <yngwin@g.o> writes: |
5 |
>> |
6 |
BdG> Abandoned packages do not belong in the portage tree. |
7 |
>> |
8 |
>> Nonsense. That attitude only servers to harm the user base. |
9 |
|
10 |
BdG> You're wrong. It serves to protect our users from potentially |
11 |
BdG> broken and vulnerable packages. |
12 |
|
13 |
Any user who needs *that* much hand-holding will use a binary dist, |
14 |
not a source dist. |
15 |
|
16 |
BdG> It ascertains a Quality Assurance level that we and our users can |
17 |
BdG> be comfortable with. |
18 |
|
19 |
No, it does not. The user base for a build-locally-from-source dist |
20 |
wants wider access, not just a few packages. |
21 |
|
22 |
>> Leaving them in does not. |
23 |
|
24 |
BdG> It does, as it opens the users up to unknown security |
25 |
BdG> vulnerabilities and increasing brokenness as bugs are |
26 |
BdG> not addressed. |
27 |
|
28 |
Removing the ebuilds does not help that even one bit. IF they do not |
29 |
use those programs, they are not harmed even if there is some (real) |
30 |
vulnerability -- and don't forget that most of the vulnerability claims |
31 |
are for things which will never happen in practice. (Which is not to |
32 |
suggest that upstreams shouldn't code defensively, just that not every |
33 |
warning is critical enough to loose sleep over.) |
34 |
|
35 |
BdG> If Gentoo would stop caring about QA, then we'd be wasting |
36 |
BdG> our time working on making this a better distro. |
37 |
|
38 |
Removing ebuilds is not in itself QA. It does not in itself improve |
39 |
quality. There has to be a real reason to remove. |
40 |
|
41 |
Removing a leaf package which has been replaced by its upstream, whether |
42 |
by a simple rename or by a complete re-implementation or anywhere |
43 |
inbetween, is a good call. |
44 |
|
45 |
Removing a widely-used, well-designed and well-managed library and |
46 |
everything which depends on it, just because upstream has stopped |
47 |
dealing with bug reports against that version, is not. The likelyhood |
48 |
that any significant issues remain in qt3 is small. The relevant apps |
49 |
work, have been working and will continue to work. |
50 |
|
51 |
I will not begrudge the kde team for wanting to support only kde4. |
52 |
|
53 |
Dropping kde3 in favour of kde4 is just an upgrade. |
54 |
|
55 |
But dropping qt3 even though packages exist which depend on it and have |
56 |
not been ported to qt4 (and it *is* a /port/, *not* an /upgrade/) is |
57 |
simply the wrong thing to do. |
58 |
|
59 |
It is also OK to mask -- but not necessarily remove -- a package with a |
60 |
truly exploitable bug; moreso if the package is itself security-related. |
61 |
That means real exploits in the wild, real attempts to do harm. |
62 |
|
63 |
The so-called qa team has been acting too robotically. It needs to show |
64 |
more common sense and better judgement. Worry about the real problems, |
65 |
not the trivial. Work to fix packages, not to murder them. |
66 |
|
67 |
-JimC |
68 |
-- |
69 |
James Cloos <cloos@×××××××.com> OpenPGP: 1024D/ED7DAEA6 |