From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 080C9139085 for ; Fri, 6 Jan 2017 08:04:51 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9242A234014; Fri, 6 Jan 2017 08:04:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3BB04E0DCE for ; Fri, 6 Jan 2017 08:04:41 +0000 (UTC) Received: from [192.168.2.10] (62.65.231.75.cable.starman.ee [62.65.231.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: leio) by smtp.gentoo.org (Postfix) with ESMTPSA id DF2F4341265 for ; Fri, 6 Jan 2017 08:04:39 +0000 (UTC) Message-ID: <1483689875.7573.6.camel@gentoo.org> Subject: Re: [gentoo-dev] Packages up for grabs due to retirement From: Mart Raudsepp To: gentoo-dev@lists.gentoo.org Date: Fri, 06 Jan 2017 10:04:35 +0200 In-Reply-To: <7a2010ad-185c-514a-c11f-7000b09e4ff5@gentoo.org> References: <4a185773-6144-69b8-a466-0e554732f12f@gentoo.org> <20170101181644.366769b2@abudhabi.paradoxon.rec> <37f7a2ac-6214-deaf-01a3-871cecca96b2@gentoo.org> <20170103120510.325206fa.mgorny@gentoo.org> <7a2010ad-185c-514a-c11f-7000b09e4ff5@gentoo.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 878580bb-a544-4269-9b14-79bcd8c4537b X-Archives-Hash: 5b2971c2fa9ce141df8c2d260c19f973 Ühel kenal päeval, N, 05.01.2017 kell 22:00, kirjutas Daniel Campbell: > I'm in favor of keeping software around until it breaks. When there's > a > non-existent upstream and nobody's willing to take up the helm > themselves, it's a clear indication that it's in danger of being > treecleaned. In some cases that's good; some packages get left behind > and never updated, CVEs get released, CVEs don't get released about dead packages that no-one cares about or has installed as no-one is checking them for bugs and evaluating if they are security bugs. They just sit there, potentially providing a nice potential security hole to abuse. > nobody cares about the package and > it sits masked for a while. Those are the packages we should consider > for treecleaning, not just "oh it's been 2 years since a release" or > "upstream website troubles". > > On the latter count, does anyone attempt to reach upstream before > suggesting we get rid of the package(s)? Is there not some forum we > can > use to reach users who may be interested in proxy-maintaining it? > This > discussion makes me wonder if we need (more) formal guidelines for > treecleaning. I think we've got a few people who are eager to clean > the > tree -- and their goal is admirable -- but until we can get metrics > on > who's using what, it's hard to say how much damage removing a package > will do for users. A thread on gentoo-user re: lastrites might not be > a > bad idea. The package.masked message that is shown to a user having it installed is supposed to be providing that forum to potential proxy-maintainers and such, to step up and fix things within that period and save it from permanent deletion. That's the reason we just don't outright delete them immediately, but do this "last rited, deletion in 30 days" dance. Even though the message doesn't repeatedly say this for all the p.mask descriptions (but maybe the package manager stock extra text does, or should). And ultimately things can be added back, when sensible, e.g a new upstream appears that fixes issues, or whatever. Perhaps this user interested in it enough to care deeply about it being remove from Gentoo is interested enough to become that upstream or chase down someone who is willing to, or provide motivation to the old upstream, or...