On Fri, Jul 8, 2016 at 1:21 PM, Philip Webb <purs...@ca.inter.net> wrote:
> 160708 William Hubbs wrote: > > On Fri, Jul 08, 2016 at 05:56:04PM +0300, Andrew Savchenko wrote: > >> IMO the criteria should be whether they work or not, > >> not whether upstream is more or less active. > >> If they're blockers on other work, by all means cull them. > >> However, if the biggest problem with them is > >> that they're using a few inodes in the repo, they should probably stay. > > There is an overlay for packages that are removed from the official tree > > -- https://github.com/gentoo/graveyard -- > > and that is where old software should go, > > if it doesn't have an active maintainer. > > A lot of this lengthy discussion is missing some basic points, > though a few people have mentioned them in passing. > As someone who has used Gentoo exclusively since 2003 > & who raised the objections to removal of Xcdroast + Nethack, > let me try to get you all to focus on the real-life issues. > > (1) The fact that a pkg has little or no upstream support > or that it doesn't have an active Gentoo maintainer > is not a reason for removing it from the regular tree. > So basically what you are advocating for is: "Having completely unmaintained packages in the tree is OK." And honestly, I do not buy that premise. > > One basic reason some software is no longer being actively developed > is simply that they work perfectly well as they now are, > eg the file manager Krusader & the desktop manager Fluxbox : > both of these are very useful & have no drop-in replacements, > but very little development has occurred for several years. > The same is true of Xcdroast & Nethack, which have been threatened, > but which have been rescued after some small patches have been applied. > This is likely to be true of more + more pkgs, as time passes : > even changes in the kernel these days rarely affect desktop users. > No one is trying to remove flubox (which had a release in 2015 and had activity in its git repo as recently as last week.) Xcdroast for example, hasn't had a release in 8 years and I can't even find its source tracker in sourceforge. These are the sorts of packages that I think are not great to have in the tree and for Xcdroast, if I were treecleaner lead i would probably advocate for working around the security bug (dropped SUID) instead of removal. I do not necessarily want to remove software that people are using. That being said, I do not want unmaintained software in the tree either. > > (2) There are 3 basic categories of Gentoo user : > (a) server-farm managers, (b) multi-user sysadmins, (c) single-users. > Each of these have different security concerns : > (a) need to be alert to the many threats from all over the Internet ; > (b) need (among other things) to prevent privilege escalation ; > (c) are largely immune to those types of threat, > though a few of the Internet variety can affect them. > I appreciate the argument you are trying to make; but i do not think it really drives Gentoo Security Policy (nor should it.) As my security manager used to say "security is not a race to the bottom." > > The security objections raised against Xcdroast + Nethack > were both problems which would arise only on multi-user systems, > yet single-users were also to be deprived of access to them. > Perhaps part of the problem is that many Gentoo developers > also earn their livings as sysadmins with many users or many servers : > the simpler happier world of single-users escapes their attention. > > (3) Users generally don't want to be developers : they're too busy or too > old. > Asking them "Are you willing to maintain it yourself ?" is a silly excuse ; > offering them the chance to dig around in a graveyard is even worse ; > even maintaining an overlay is a nuisance : I tried it with KDE Sunset. > Neither Xcdroast nor Nethack belong in a graveyard of any kind : > once the obscure security problems have been fixed, > they belong in the regular tree marked 'stable', > like many other pkgs whose development has been completed. > > Users all do -- or should -- appreciate the unpaid work of the developers, > but developers also need to realise that without non-developer users > Gentoo would very quickly die & their justified pride + satisfaction die > too. > I'm a bit confused by this argument. 1) It appears that no Gentoo developers want to maintain a software package. 2) The software package has no active upstream. 3) The software has no bugs. 4) We mask the software because it has bugs and no active maintianer, for years. 5) No one volunteers to proxy-maintain the software. But you advocate we keep such software in the tree, because users are "too busy" or "too old" to maintain it themselves? > > (4) I have 3 simple recommendations to fix the everyday problems. > > (a) the justification for tree-cleaning should be explicitly > that a pkg either (i) won't compile, (ii) crashes when run > or (iii) has a serious security hole which affects all 3 types of user. > > (b) there needs to be a developer role 'General Maintainer', > who should be available to look at pkgs which have no regular maintainer, > but which compile, run properly & are generally secure : > their job would be to step in, like Mr Savchenko -- thanks again -- , > to fix small problems which would otherwise be neglected ; > less formally, all developers might see it as part of their role > to help out occasionally with such small problems. > In an ideal world, the tree would be full of properly maintained packages. There are over 1500 packages in the tree in the 'maintainer-needed' state[1]. Even if we allocated 100 packages per developer, this "General Maintainer" team would be 15 developers strong and one of the largest projects in Gentoo. To compare the Treecleaner project is 7 people; the Security project is 10 people. This is in fact part of the rationale of the Treecleaner project itself. Ebuilds require maintenance (eclass updates, new EAPIs, etc) and someone has to do this work (or we end up with 6 supports EAPIs in the tree.) This is one reason why packages that are unmaintained are removed; we do not have 15 spare humans to clean up the unmaintained packages, so we remove them when it is feasible to do so. > (c) Gentoo's rules + policies need explicitly to reflect the fact > that there are 3 types of user, as described : > eg some pkgs might be marked as 'not safe for multi-user systems' ; > that would recognise real distinctions which are now being ignored. > > HTH & thanks as always to all of you for making Gentoo work since 2003. > [1] https://qa-reports.gentoo.org/output/maintainer-needed.html > > -- > ========================,,============================================ > SUPPORT ___________//___, Philip Webb > ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto > TRANSIT `-O----------O---' purslowatchassdotutorontodotca > > >
