Andrey Rahmatullin <w...@debian.org> writes: > On Sun, Feb 07, 2021 at 10:25:26AM -0800, Russ Allbery wrote:
>> To me, the rewards of keeping the orphaned packages clearly outweigh >> the risks. If the package is actually broken, presumably sooner or >> later someone will notice and report that as a bug, and we can then >> take appropriate action. >> The exception, I suppose, is that we probably shouldn't keep shipping >> packages that are orphaned and that no one is using, just on clutter >> grounds, but that seems like a smaller problem that would be >> better-handled by other mechanisms than a blanket rule for unmaintained >> packages. > There are also other, though I think rare, considerations, like security > problems. Yes, security is a worry, and security problems in orphaned packages fall primarily on the security team instead of on the maintainer. If there are packages of concern to the security team from a supportability standpoint, I certainly would support them in asking for them to be adopted or removed. Thankfully, most packages in the archive don't tend to have meaningful security problems, in the sense that they don't listen to the network and don't have unusual privileges, so are only likely to cause problems if they're somehow run on untrusted input. (Which was probably your point about being rare.) -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>