Hey, while doing some work on PHP transitions, saving courier-imap, finally packaging seafile since they finally stopped violating GPL, I found a quite a lot of bitrot in some (mostly leaf) packages. Packages untouched for years after initial upload, packages with unreachable maintainers, etc[1].
I totally understand that our QA team can't solve all of this, but I have a couple of automated ideas that might help: * Some automated check that would mark the package as outdated. Outdated packages won't make it into stable and would be removed from unstable. Some indicators that package might be outdated: - big difference (in time, in version numbers?) between upstream version and Debian version - no upload in a long time - some really outdated standards version - some really outdated dh compat level - using outdated packaging tools (and please don't go into the 1.0 vs 3.0 fight again here :-) - something with being a leaf library and not used by anybody else for a long time (combine that with popcon, f.e.?) - other indicators * Package marked as "outdated" would: a) not be able to enter "stable" b) not be able to enter "testing" c) would be removed from "unstable" * Not really sure if we have packages so "rock-stable" that they still work even though they haven't been touched in years, but I guess we would need some whitelist, but I suspect the whitelist would be quite small. * Perhaps this might be good GSoC material? (If somebody wants to lead the effort.) And the second thought: * Team defined policies - let's say - if you are packaging PHP package, you'll have to (just examples): - package the software under the PHP {maint,pecl,pear} team - have somebody else from the team review your package (if you are new to da biz) I have a feeling that we are hoarding packages, but the overall quality varies a lot (not pointing fingers here). The feeling I have now was same when I was doing Berkeley DB transition (and I really wish I just filled couple more ROMs/RQAs then instead of fixing the outdated software in the archive). I also think we should draw the line right in the unstable (related to the upstream-debian relationship discussing that's happening in parallel) and not just in the stable, and perhaps be more aggressive in removing software that's no longer useful and just lies in the archive dormant. 1. not saying here that I am completely without guilt from time to time and from package to package :). Cheers, -- Ondřej Surý <ond...@sury.org> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server