On Sat, Mar 23, 2019 at 2:26 PM Rich Freeman wrote: > On Sat, Mar 23, 2019 at 10:17 AM Alec Warner wrote: > > > > > > Avoid letting the perfect be the enemy of the good here. > > Indeed, we need to avoid treating packages as unmaintained simply > because they have open bugs. > > Many packages have bugs that are fairly trivial in nature, or build > issues that only show up in fairly obscure configurations. These > often affect only a single user. > So this is why I advocate for building a number of signals, and using a combination of signals to determine if a package is unmaintained. > > If we treeclean the package we don't actually fix the problem - we > just drive it to an overlay. Now instead of a package that works for > 11/12 users and has an obscure but, we now have a package that isn't > getting monitored for security issues, and other QA issues that might > actually be fixed if they were pointed out. > > > Rules: > > A package is unmaintained if it: > > - Has not been touched in 5 years > > Do we really want to bump packages just for the sake of saying that > they've been touched? That seems a bit much. > I'm not saying "we should absolutely remove packages that have not been touched in N years" but I am saying "we should review packages that have not been touched in N years". > > > - Is behind 3 versions AND hasn't been touched in 2 years > > If we have the ability to detect if a package is behind upstream, > perhaps we should actually file bugs about this so that the maintainer > is aware. > > However, the fact that a newer version exists doesn't necessarily mean > that there is a problem with the older version. For some types of > software a maintainer might be picky about what updates they accept. > For example, they might need to synchronize versions with other > distros that update less often/etc. They should of course accept > contributions from others willing to test, but the fact that somebody > is maintaining a package on Gentoo doesn't obligate them to always > support the latest version of that package. > > Now, obviously if there is a security issue/etc then we should follow > the existing security policies, but those are already established. > Would you be happier if there was some kind of opt-out or whitelist? Have you looked at mgorny's recent removals? its mostly stuff that doesn't build and hasn't been touched in 5 years and *yeah* I want that stuff out of the tree; its a net negative for everyone. Keeping packages in the tree isn't free. > > -- > Rich > >