Hey,
while doing some work on PHP transitions, saving courier-imap, finally
packaging seafile since they finally stopped violating GPL, I found a
quite a lot of bitrot in some (mostly leaf) packages. Packages untouched
for years after initial upload, packages with unreachable maintainers,
etc[1].
I totally understand that our QA team can't solve all of this, but I
have a couple of automated ideas that might help:
* Some automated check that would mark the package as outdated. Outdated
packages won't make it into stable and would be removed from unstable.
Some indicators that package might be outdated:
- big difference (in time, in version numbers?) between upstream
version and Debian version
- no upload in a long time
- some really outdated standards version
- some really outdated dh compat level
- using outdated packaging tools (and please don't go into the 1.0 vs
3.0 fight again here :-)
- something with being a leaf library and not used by anybody else for
a long time (combine that with popcon, f.e.?)
- other indicators
* Package marked as "outdated" would:
a) not be able to enter "stable"
b) not be able to enter "testing"
c) would be removed from "unstable"
* Not really sure if we have packages so "rock-stable" that they still
work even though they haven't been touched in years, but I guess we
would need some whitelist, but I suspect the whitelist would be quite
small.
* Perhaps this might be good GSoC material? (If somebody wants to lead
the effort.)
And the second thought:
* Team defined policies - let's say - if you are packaging PHP package,
you'll have to (just examples):
- package the software under the PHP {maint,pecl,pear} team
- have somebody else from the team review your package (if you are new
to da biz)
I have a feeling that we are hoarding packages, but the overall quality
varies a lot (not pointing fingers here). The feeling I have now was
same when I was doing Berkeley DB transition (and I really wish I just
filled couple more ROMs/RQAs then instead of fixing the outdated
software in the archive).
I also think we should draw the line right in the unstable (related to
the upstream-debian relationship discussing that's happening in
parallel) and not just in the stable, and perhaps be more aggressive in
removing software that's no longer useful and just lies in the archive
dormant.
1. not saying here that I am completely without guilt from time to time
and from package to package :).
Cheers,
--
Ondřej Surý <ond...@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
