On Mon, 2026-05-04 at 14:42 +0200, Simon Josefsson wrote: > As far as I can tell, there are no longer any reverse dependencies of > this package in Debian (see below).
docker.io did vendor notary in 27.5.1+dfsg3-1; not sure if that's still the case. > Any objections to finally remove 'notary' from Debian? > > I believe that leaving packages in 'unstable' but keep them out of > testing is a reasonable thing to do, since you never know when a > golang-*-dev package may become needed as a build dependency in the > future, but I think that for this package, we actively don't want > that to happen. The downside is that this leads to accumulating cruft that bitrots and wastes developer time, for example when running `ratt` encounters a package that fails to build, or when someone running Debian Janitor (or similar) performs pointless cleanup on the package. In the case when a project is explicitly abandoned upstream OR the project is designed to handle security-sensitive actions (both true in the case for notary), I don't think we should keep the package in the archive "just in case". The DFSG team seems to be processing the NEW queue very quickly, so down the road if someone wants to re-introduce a RM'ed package that shouldn't be a large obstacle. Mathias
signature.asc
Description: This is a digitally signed message part
