From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 29360138334 for ; Sat, 23 Mar 2019 20:14:47 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D5EF2E0AC1; Sat, 23 Mar 2019 20:14:44 +0000 (UTC) Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9738AE0AC0 for ; Sat, 23 Mar 2019 20:14:44 +0000 (UTC) Received: by mail-oi1-x233.google.com with SMTP id e22so4224686oiy.0 for ; Sat, 23 Mar 2019 13:14:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2lw9rder10t0+mq6T8q9n/MR5oza4l/IrrC+r4kgUNg=; b=BdaHZCPLWMEm/OuXQL6jFmDqCdnT42f0ji9GBP11qw4yCpqA5VpXZeIEyRxhVhOxI9 k+W35QPl8r0HX9N6juCctVBZXWiTU9aNtmyMXD+Zo78wgQTvpJ7BzYmPuIrT0TSuHeVi +pIS4bXFPSwRw6dTJw8ZcO/13DTzpB+aztWELidjfKYJJWZkYHbuVHFcmRObKyZIgXus FIee+NrHywMQ6h+2cICUtEz5riKn7qiFNzt9mmddXzgwPaEJc7lUfSSQJNN9mW/i6lu9 uILtInL5JydvaeF7TQFeySlVtyc4vO3yOU+xyJLVNbE3xu4tmLnP7xynbW4Xt/hZX4a1 ChuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2lw9rder10t0+mq6T8q9n/MR5oza4l/IrrC+r4kgUNg=; b=fXG+ob630HV9AneQmriqAZoEu2RFhmifJy13hrQ52SQjeLsDWFiPLY8dJ/zqwRak8s 23U6XxEAqQXFV7lWaBPvs9/MfoSL4sYmB0LRTxk7gNCASfLAxOB1VohGr5vEymA56Qed pFff6rrbgPlT6KT6+PebzUMAB44epT51Vaaf68rFo1EXopl0MT8FFI0a45eofPpASA1W I0Kjy2JUIyDesUDnL71aXSxuHdbxEZVzfcKxe7+NOFeUMsLG9jlTNwq3WomZXMuAZqV8 m75oNa87wgUpW3AGwA3QeWbxK2n0bNc/Mz4+ZE/qHwJIAU2doAflI6y5xb/0uxLKEbbo gA3Q== X-Gm-Message-State: APjAAAX0hjacKi03GKJHQMqnDxg3kWiZOWT58gyLGXrUTnDu6go2IQ2p tLsM/k7sP4m8vMLqtKBsGZVxHE5QE1Yc/oCXWmGuXSVR X-Google-Smtp-Source: APXvYqxQUUNw6hSqunAodhwU5B/dkRGPiOEKH+IEioCjBesJBOSzuQ1Ry54kN0HZ1tiT4SbWfKbca80pE0AxGDKJFt8= X-Received: by 2002:aca:5e8b:: with SMTP id s133mr6457354oib.2.1553372083166; Sat, 23 Mar 2019 13:14:43 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: In-Reply-To: From: Raymond Jennings Date: Sat, 23 Mar 2019 13:14:06 -0700 Message-ID: Subject: Re: [gentoo-project] How to improve detection of unmaintained packages? To: gentoo-project@lists.gentoo.org Content-Type: multipart/alternative; boundary="00000000000038a4900584c89f83" X-Archives-Salt: 39556064-14b5-4712-9ac3-174d950fda04 X-Archives-Hash: 8345461420f128839399c653e873c4a2 --00000000000038a4900584c89f83 Content-Type: text/plain; charset="UTF-8" On Sat, Mar 23, 2019 at 11:26 AM Rich Freeman wrote: > On Sat, Mar 23, 2019 at 10:17 AM Alec Warner wrote: > > > > > > Avoid letting the perfect be the enemy of the good here. > > Indeed, we need to avoid treating packages as unmaintained simply > because they have open bugs. > > Many packages have bugs that are fairly trivial in nature, or build > issues that only show up in fairly obscure configurations. These > often affect only a single user. > > If we treeclean the package we don't actually fix the problem - we > just drive it to an overlay. Now instead of a package that works for > 11/12 users and has an obscure but, we now have a package that isn't > getting monitored for security issues, and other QA issues that might > actually be fixed if they were pointed out. > > > Rules: > > A package is unmaintained if it: > > - Has not been touched in 5 years > > Do we really want to bump packages just for the sake of saying that > they've been touched? That seems a bit much. > > > - Is behind 3 versions AND hasn't been touched in 2 years > > If we have the ability to detect if a package is behind upstream, > perhaps we should actually file bugs about this so that the maintainer > is aware. > This is part of the idea behind my plan to have open bugs be the first (but probably not only, as the later phases demonstrate) symptom of trouble. Apart from it not being fair to remove teh package unless it's actually broken, it's also a good habit imo to encourage bugs (as long as they're not frivolous) to be filed simply for documentation purposes. However, the fact that a newer version exists doesn't necessarily mean > that there is a problem with the older version. For some types of > software a maintainer might be picky about what updates they accept. > For example, they might need to synchronize versions with other > distros that update less often/etc. They should of course accept > contributions from others willing to test, but the fact that somebody > is maintaining a package on Gentoo doesn't obligate them to always > support the latest version of that package. > > Now, obviously if there is a security issue/etc then we should follow > the existing security policies, but those are already established. > > -- > Rich > > --00000000000038a4900584c89f83 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


=
On Sat, Mar 23, 2019 at 11:26 AM Rich= Freeman <rich0@gentoo.org> w= rote:
On Sat, Ma= r 23, 2019 at 10:17 AM Alec Warner <antarus@gentoo.org> wrote:
>
>
> Avoid letting the perfect be the enemy of the good here.

Indeed, we need to avoid treating packages as unmaintained simply
because they have open bugs.

Many packages have bugs that are fairly trivial in nature, or build
issues that only show up in fairly obscure configurations.=C2=A0 These
often affect only a single user.

If we treeclean the package we don't actually fix the problem - we
just drive it to an overlay.=C2=A0 Now instead of a package that works for<= br> 11/12 users and has an obscure but, we now have a package that isn't getting monitored for security issues, and other QA issues that might
actually be fixed if they were pointed out.

> Rules:
> A package is unmaintained if it:
>=C2=A0 =C2=A0- Has not been touched in 5 years

Do we really want to bump packages just for the sake of saying that
they've been touched?=C2=A0 That seems a bit much.

>=C2=A0 =C2=A0- Is behind 3 versions AND hasn't been touched in 2 ye= ars

If we have the ability to detect if a package is behind upstream,
perhaps we should actually file bugs about this so that the maintainer
is aware.

This is part of the idea behi= nd my plan to have open bugs be the first (but probably not only, as the la= ter phases demonstrate) symptom of trouble.

Apart = from it not being fair to remove teh package unless it's actually broke= n, it's also a good habit imo to encourage bugs (as long as they're= not frivolous) to be filed simply for documentation purposes.
However, the fact= that a newer version exists doesn't necessarily mean
that there is a problem with the older version.=C2=A0 For some types of
software a maintainer might be picky about what updates they accept.
For example, they might need to synchronize versions with other
distros that update less often/etc.=C2=A0 They should of course accept
contributions from others willing to test, but the fact that somebody
is maintaining a package on Gentoo doesn't obligate them to always
support the latest version of that package.

Now, obviously if there is a security issue/etc then we should follow
the existing security policies, but those are already established.

--
Rich

--00000000000038a4900584c89f83--