Ühel kenal päeval, N, 05.01.2017 kell 22:00, kirjutas Daniel Campbell: > I'm in favor of keeping software around until it breaks. When there's > a > non-existent upstream and nobody's willing to take up the helm > themselves, it's a clear indication that it's in danger of being > treecleaned. In some cases that's good; some packages get left behind > and never updated, CVEs get released,
CVEs don't get released about dead packages that no-one cares about or has installed as no-one is checking them for bugs and evaluating if they are security bugs. They just sit there, potentially providing a nice potential security hole to abuse. > nobody cares about the package and > it sits masked for a while. Those are the packages we should consider > for treecleaning, not just "oh it's been 2 years since a release" or > "upstream website troubles". > > On the latter count, does anyone attempt to reach upstream before > suggesting we get rid of the package(s)? Is there not some forum we > can > use to reach users who may be interested in proxy-maintaining it? > This > discussion makes me wonder if we need (more) formal guidelines for > treecleaning. I think we've got a few people who are eager to clean > the > tree -- and their goal is admirable -- but until we can get metrics > on > who's using what, it's hard to say how much damage removing a package > will do for users. A thread on gentoo-user re: lastrites might not be > a > bad idea. The package.masked message that is shown to a user having it installed is supposed to be providing that forum to potential proxy-maintainers and such, to step up and fix things within that period and save it from permanent deletion. That's the reason we just don't outright delete them immediately, but do this "last rited, deletion in 30 days" dance. Even though the message doesn't repeatedly say this for all the p.mask descriptions (but maybe the package manager stock extra text does, or should). And ultimately things can be added back, when sensible, e.g a new upstream appears that fixes issues, or whatever. Perhaps this user interested in it enough to care deeply about it being remove from Gentoo is interested enough to become that upstream or chase down someone who is willing to, or provide motivation to the old upstream, or...
