Hi, I would like to bring up the issue of removed packages. I think it is problematic that sometimes packages get removed, with no automatic transition [a transitional package, or another package depending on a replacement package or conflicting with the old one], and no active notification to the user.
My primary concern is security. I recently discovered many packages that have been removed from Debian, that I had still been using with no idea that they were removed. The worst part is, some of these packages were removed due to outstanding security bugs! For example, bitchx and dhcp-client. It's clear to me that a silent removal is problematic since the result is existing users keep that buggy version forever. An example of a package with a logical replacement is beep-media-player. I've been using this program without realizing that audacious has superceded it. I would have been nice, though not necessarily security-critical, to know about beep-media-player's removal. Some of the ones I've noticed are a single binary package removed where the source package still exists, e.g. hal-device-manager (which is somewhat superceded by gnome-device-manager). With ntp-simple, I don't know how, but I had both ntp and ntp-simple (version 1:4.2.2.p4+dfsg-2) installed, where ntp presumably was supposed to get rid of ntp-simple. Apparently a transitional package existed and was subsequently removed, so it fell through the cracks. [How to find out why a particular package no longer exists wasn't obvious either. A general search via Google or newsgroups usually doesn't yield anything useful; the way I've figured out how to do it is (1) look up the package in packages.qa.debian.org, (2) find a "removed from unstable" message, and (3) look up the associated bug report at bugs.debian.org.] Solutions?: Since in many of these situations there may be more than one replacement or no replacement, it makes sense that there's no automatic action via a dist-upgrade. One idea is to have a system where the user is notified when installed packages no longer exist in the apt repositories, with an explanation and suggested followups [e.g. install one of X,Y,Z, or just remove the package]. The default explanation could be just a link to the BTS page, so no extra required work for maintainers. How? Since users may have installed .deb files manually or removed lines from /etc/apt/sources.list, the existence of a package without an apt source isn't necessarily a problem. However, an active removal via an ftp.debian.org bug, or a source package no longer building a binary package, is more significant. I suggest in these cases that when the user runs apt-get upgrade, he is notified of removed packages (the first time this is noticed). This might be implemented in a separate tool hooked in similar to apt-listchanges, or integrated into apt-get and/or various frontends; the information might be part of Packages.gz or a separate file similar to ftp-master.debian.org/removals.txt. (I noticed that removals.txt only has a few months of data. The mechanism for this idea should allow for people who only run apt-get once every couple months.) Thoughts? What have I missed? Existing solutions or non-problem? How can we move towards implementing something like this? What other ideas are there for dealing with disappearing packages? Thanks, Karl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]