On Fri, Jul 8, 2016 at 2:50 PM, Alec Warner <anta...@gentoo.org> wrote:
> > > On Fri, Jul 8, 2016 at 1:21 PM, Philip Webb <purs...@ca.inter.net> wrote: > >> 160708 William Hubbs wrote: >> > On Fri, Jul 08, 2016 at 05:56:04PM +0300, Andrew Savchenko wrote: >> >> IMO the criteria should be whether they work or not, >> >> not whether upstream is more or less active. >> >> If they're blockers on other work, by all means cull them. >> >> However, if the biggest problem with them is >> >> that they're using a few inodes in the repo, they should probably stay. >> > There is an overlay for packages that are removed from the official tree >> > -- https://github.com/gentoo/graveyard -- >> > and that is where old software should go, >> > if it doesn't have an active maintainer. >> >> A lot of this lengthy discussion is missing some basic points, >> though a few people have mentioned them in passing. >> As someone who has used Gentoo exclusively since 2003 >> & who raised the objections to removal of Xcdroast + Nethack, >> let me try to get you all to focus on the real-life issues. >> >> (1) The fact that a pkg has little or no upstream support >> or that it doesn't have an active Gentoo maintainer >> is not a reason for removing it from the regular tree. >> > > So basically what you are advocating for is: > > "Having completely unmaintained packages in the tree is OK." > > And honestly, I do not buy that premise. > > >> >> One basic reason some software is no longer being actively developed >> is simply that they work perfectly well as they now are, >> eg the file manager Krusader & the desktop manager Fluxbox : >> both of these are very useful & have no drop-in replacements, >> but very little development has occurred for several years. >> The same is true of Xcdroast & Nethack, which have been threatened, >> but which have been rescued after some small patches have been applied. >> This is likely to be true of more + more pkgs, as time passes : >> even changes in the kernel these days rarely affect desktop users. >> > > No one is trying to remove flubox (which had a release in 2015 and had > activity in its git repo as recently as last week.) > > Xcdroast for example, hasn't had a release in 8 years and I can't even > find its source tracker in sourceforge. These are the sorts of packages > that I think are not great to have in the tree and for Xcdroast, if I were > treecleaner lead i would probably advocate for working around the security > bug (dropped SUID) instead of removal. I do not necessarily want to remove > software that people are using. > > That being said, I do not want unmaintained software in the tree either. > > >> >> (2) There are 3 basic categories of Gentoo user : >> (a) server-farm managers, (b) multi-user sysadmins, (c) single-users. >> Each of these have different security concerns : >> (a) need to be alert to the many threats from all over the Internet ; >> (b) need (among other things) to prevent privilege escalation ; >> (c) are largely immune to those types of threat, >> though a few of the Internet variety can affect them. >> > > I appreciate the argument you are trying to make; but i do not think it > really drives Gentoo Security Policy (nor should it.) > > As my security manager used to say "security is not a race to the bottom." > > >> >> The security objections raised against Xcdroast + Nethack >> were both problems which would arise only on multi-user systems, >> yet single-users were also to be deprived of access to them. >> Perhaps part of the problem is that many Gentoo developers >> also earn their livings as sysadmins with many users or many servers : >> the simpler happier world of single-users escapes their attention. >> >> (3) Users generally don't want to be developers : they're too busy or too >> old. >> Asking them "Are you willing to maintain it yourself ?" is a silly excuse >> ; >> offering them the chance to dig around in a graveyard is even worse ; >> even maintaining an overlay is a nuisance : I tried it with KDE Sunset. >> Neither Xcdroast nor Nethack belong in a graveyard of any kind : >> once the obscure security problems have been fixed, >> they belong in the regular tree marked 'stable', >> like many other pkgs whose development has been completed. >> >> Users all do -- or should -- appreciate the unpaid work of the developers, >> but developers also need to realise that without non-developer users >> Gentoo would very quickly die & their justified pride + satisfaction die >> too. >> > > I'm a bit confused by this argument. > > 1) It appears that no Gentoo developers want to maintain a software > package. > 2) The software package has no active upstream. > 3) The software has no bugs. > Sorry, in my argument the package has open bugs, I mis-typed ;) > 4) We mask the software because it has bugs and no active maintianer, for > years. > 5) No one volunteers to proxy-maintain the software. > > But you advocate we keep such software in the tree, because users are "too > busy" or "too old" to maintain it themselves? > > >> >> (4) I have 3 simple recommendations to fix the everyday problems. >> >> (a) the justification for tree-cleaning should be explicitly >> that a pkg either (i) won't compile, (ii) crashes when run >> or (iii) has a serious security hole which affects all 3 types of user. >> > >> (b) there needs to be a developer role 'General Maintainer', >> who should be available to look at pkgs which have no regular maintainer, >> but which compile, run properly & are generally secure : >> their job would be to step in, like Mr Savchenko -- thanks again -- , >> to fix small problems which would otherwise be neglected ; >> less formally, all developers might see it as part of their role >> to help out occasionally with such small problems. >> > > In an ideal world, the tree would be full of properly maintained packages. > > There are over 1500 packages in the tree in the 'maintainer-needed' > state[1]. > > Even if we allocated 100 packages per developer, this "General Maintainer" > team would be 15 developers strong and one of the largest projects in > Gentoo. To compare the Treecleaner project is 7 people; the Security > project is 10 people. > > This is in fact part of the rationale of the Treecleaner project itself. > Ebuilds require maintenance (eclass updates, new EAPIs, etc) and someone > has to do this work (or we end up with 6 supports EAPIs in the tree.) This > is one reason why packages that are unmaintained are removed; we do not > have 15 spare humans to clean up the unmaintained packages, so we remove > them when it is feasible to do so. > > >> (c) Gentoo's rules + policies need explicitly to reflect the fact >> that there are 3 types of user, as described : >> eg some pkgs might be marked as 'not safe for multi-user systems' ; >> that would recognise real distinctions which are now being ignored. >> >> HTH & thanks as always to all of you for making Gentoo work since 2003. >> > > > [1] https://qa-reports.gentoo.org/output/maintainer-needed.html > > >> >> -- >> ========================,,============================================ >> SUPPORT ___________//___, Philip Webb >> ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto >> TRANSIT `-O----------O---' purslowatchassdotutorontodotca >> >> >> >
