Re: [gentoo-dev] Last rites: app-text/cuneiform

["Róbert Čerňanský" <openhs@tightmail.com>]

On Sun, 24 Mar 2013 19:40:07 -0400
Rich Freeman <rich0@gentoo.org> wrote:

> On Sun, Mar 24, 2013 at 3:24 PM, Ian Stakenvicius <axs@gentoo.org>
> wrote:
> > The number of open bugs doesn't really matter, it's what those bugs
> > are that matters -- security bugs, sure, are of a higher priority
> > and can be fairly easily detected in bugzilla.
> 
> Well, our current treecleaner policy seems to be that if a package
> isn't maintained and has any bugs open at all it is fair game.  The
> caveat to that is that trivial bugs are grounds for fixing instead of
> removals (bad DEPEND atoms, simple-to-fix, etc).  Google the full
> policy for details.
> 
> I think that a better policy would be rather than having any open
> non-trivial bugs we list the sorts of bugs that should be grounds for
> removal, such as:
> 
> 1.  Package does not build in the majority of cases on all archs.
> (Unkeywording is the solution for individual archs that are broken, if
> not easily fixable.  Not building some of the time isn't grounds for
> removal.)
> 
> 2.  Package has an open security bug.  (Cuneiform is a borderline case
> of this - no exploit/CVE but I wouldn't use it on a server being fed
> images submitted by strangers.)
> 
> 3.  Package is blocking another package.  Maintained packages always
> take priority over unmaintained ones.
> 
> Perhaps there are other cases which should be included, but I think
> this covers most of them.  If a package isn't blocking anything else,
> doesn't have security problems, and works most of the time, then I
> think it should generally be kept.

This souds very promising.  Could we leave out point 2 though?  Gentoo
puts lot of decision power to users.  Can it be so also in this case?
Users will have to be informed that the package has security issues of
course, for example, by mentioning it in the mask note.

Robert


-- 
Róbert Čerňanský
E-mail: openhs@tightmail.com
Jabber: hs@jabber.sk