>>>>> "BdG" == Ben de Groot <yng...@gentoo.org> writes:
BdG> On 14 March 2010 06:09, James Cloos <cl...@jhcloos.com> wrote: >>>>>>> "BdG" == Ben de Groot <yng...@gentoo.org> writes: >> BdG> Abandoned packages do not belong in the portage tree. >> >> Nonsense. That attitude only servers to harm the user base. BdG> You're wrong. It serves to protect our users from potentially BdG> broken and vulnerable packages. Any user who needs *that* much hand-holding will use a binary dist, not a source dist. BdG> It ascertains a Quality Assurance level that we and our users can BdG> be comfortable with. No, it does not. The user base for a build-locally-from-source dist wants wider access, not just a few packages. >> Leaving them in does not. BdG> It does, as it opens the users up to unknown security BdG> vulnerabilities and increasing brokenness as bugs are BdG> not addressed. Removing the ebuilds does not help that even one bit. IF they do not use those programs, they are not harmed even if there is some (real) vulnerability -- and don't forget that most of the vulnerability claims are for things which will never happen in practice. (Which is not to suggest that upstreams shouldn't code defensively, just that not every warning is critical enough to loose sleep over.) BdG> If Gentoo would stop caring about QA, then we'd be wasting BdG> our time working on making this a better distro. Removing ebuilds is not in itself QA. It does not in itself improve quality. There has to be a real reason to remove. Removing a leaf package which has been replaced by its upstream, whether by a simple rename or by a complete re-implementation or anywhere inbetween, is a good call. Removing a widely-used, well-designed and well-managed library and everything which depends on it, just because upstream has stopped dealing with bug reports against that version, is not. The likelyhood that any significant issues remain in qt3 is small. The relevant apps work, have been working and will continue to work. I will not begrudge the kde team for wanting to support only kde4. Dropping kde3 in favour of kde4 is just an upgrade. But dropping qt3 even though packages exist which depend on it and have not been ported to qt4 (and it *is* a /port/, *not* an /upgrade/) is simply the wrong thing to do. It is also OK to mask -- but not necessarily remove -- a package with a truly exploitable bug; moreso if the package is itself security-related. That means real exploits in the wild, real attempts to do harm. The so-called qa team has been acting too robotically. It needs to show more common sense and better judgement. Worry about the real problems, not the trivial. Work to fix packages, not to murder them. -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
