From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Nt40O-0004Im-1n for garchives@archives.gentoo.org; Sat, 20 Mar 2010 19:06:41 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6BCC1E0A7E; Sat, 20 Mar 2010 19:06:32 +0000 (UTC) Received: from eagle.jhcloos.com (eagle.jhcloos.com [207.210.242.212]) by pigeon.gentoo.org (Postfix) with ESMTP id 98B28E0AAC for ; Sat, 20 Mar 2010 19:06:10 +0000 (UTC) Received: by eagle.jhcloos.com (Postfix, from userid 10) id 205B840198; Sat, 20 Mar 2010 19:05:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jhcloos.com; s=eagle; t=1269111970; bh=MIEf+whAyuQ/qggPQhkTNNl2/NAlCRdIlE//031byd0=; h=From:To:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=v0v5ELsYhccbCFuV2tGgT7NQJuzTW0KYrvbA68GLvmKRGZJO3zPNL/Qr60hBNFjk2 xy9KJTfM1+BgaH5N/5gTuzloofywPtMwy2LnU/K6rC93pBP2T0bmz+po/HnnF3cKbH Y7SLHHnnh1KPrTe9FkY/Tw5nOhBvEoqOJAOHfPRc= Received: by lugabout.jhcloos.org (Postfix, from userid 500) id 92396A00D9; Sat, 20 Mar 2010 19:05:24 +0000 (UTC) From: James Cloos To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Qt3 mask breaks significant science packages In-Reply-To: (Ben de Groot's message of "Sun, 14 Mar 2010 11:36:27 +0100") References: <7c612fc61003120746x5c3111d5wfbe1171d93a5bbad@mail.gmail.com> <20100312165910.36d2580a@gentoo.org> User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1.90 (gnu/linux) Face: iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAABHNCSVQICAgIfAhkiAAAAI1J REFUOE+lU9ESgCAIg64P1y+ngUdxhl5H8wFbbM0OmUiEhKkCYaZThXCo6KE5sCbA1DDX3genvO4d eBQgEMaM5qy6uWk4SfBYfdu9jvBN9nSVDOKRtwb+I3epboOsOX5pZbJNsBJFvmQQ05YMfieIBnYX FK2N6dOawd97r/e8RjkTLzmMsiVgrAoEugtviCM3v2WzjgAAAABJRU5ErkJggg== Copyright: Copyright 2009 James Cloos OpenPGP: ED7DAEA6; url=http://jhcloos.com/public_key/0xED7DAEA6.asc OpenPGP-Fingerprint: E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6 Date: Sat, 20 Mar 2010 15:04:59 -0400 Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 X-Hashcash: 1:30:100320:gentoo-dev@lists.gentoo.org::EkYFBCvYQMhjwuO0:000000000000000000000000000000000CZjuR Content-Transfer-Encoding: quoted-printable X-Archives-Salt: ecb7b363-d690-4895-8265-db4fa7cccf7b X-Archives-Hash: b9e8cfd504d3f019e1591576d40aa1af >>>>> "BdG" =3D=3D Ben de Groot writes: BdG> On 14 March 2010 06:09, James Cloos wrote: >>>>>>> "BdG" =3D=3D Ben de Groot writes: >>=20 BdG> Abandoned packages do not belong in the portage tree. >>=20 >> Nonsense. =A0That attitude only servers to harm the user base. BdG> You're wrong. It serves to protect our users from potentially BdG> broken and vulnerable packages. Any user who needs *that* much hand-holding will use a binary dist, not a source dist. BdG> It ascertains a Quality Assurance level that we and our users can BdG> be comfortable with. No, it does not. The user base for a build-locally-from-source dist wants wider access, not just a few packages. =20 >> Leaving them in does not. BdG> It does, as it opens the users up to unknown security BdG> vulnerabilities and increasing brokenness as bugs are BdG> not addressed. Removing the ebuilds does not help that even one bit. IF they do not use those programs, they are not harmed even if there is some (real) vulnerability -- and don't forget that most of the vulnerability claims are for things which will never happen in practice. (Which is not to suggest that upstreams shouldn't code defensively, just that not every warning is critical enough to loose sleep over.) BdG> If Gentoo would stop caring about QA, then we'd be wasting BdG> our time working on making this a better distro. Removing ebuilds is not in itself QA. It does not in itself improve quality. There has to be a real reason to remove. Removing a leaf package which has been replaced by its upstream, whether by a simple rename or by a complete re-implementation or anywhere inbetween, is a good call. Removing a widely-used, well-designed and well-managed library and everything which depends on it, just because upstream has stopped dealing with bug reports against that version, is not. The likelyhood that any significant issues remain in qt3 is small. The relevant apps work, have been working and will continue to work. I will not begrudge the kde team for wanting to support only kde4. Dropping kde3 in favour of kde4 is just an upgrade. But dropping qt3 even though packages exist which depend on it and have not been ported to qt4 (and it *is* a /port/, *not* an /upgrade/) is simply the wrong thing to do. It is also OK to mask -- but not necessarily remove -- a package with a truly exploitable bug; moreso if the package is itself security-related. That means real exploits in the wild, real attempts to do harm. The so-called qa team has been acting too robotically. It needs to show more common sense and better judgement. Worry about the real problems, not the trivial. Work to fix packages, not to murder them. -JimC --=20 James Cloos OpenPGP: 1024D/ED7DAEA6