160708 Alec Warner wrote: > On Fri, Jul 8, 2016 at 1:21 PM, Philip Webb <purs...@ca.inter.net> wrote: >> (1) The fact that a pkg has little or no upstream support >> or that it doesn't have an active Gentoo maintainer >> is not a reason for removing it from the regular tree. > So basically what you are advocating for is: > "Having completely unmaintained packages in the tree is OK". > And honestly, I do not buy that premise.
I went on to point out : >> One basic reason some software is no longer being actively developed >> is simply that they work perfectly well as they now are, >> eg the file manager Krusader & the desktop manager Fluxbox : >> both of these are very useful & have no drop-in replacements, >> but very little development has occurred for several years. >> The same is true of Xcdroast & Nethack, which have been threatened, >> but which have been rescued after some small patches have been applied. >> This is likely to be true of more + more pkgs, as time passes : >> even changes in the kernel these days rarely affect desktop users. My point here is that lack of upstream development doesn't necessarily mean that an app is "dead", but may simply result from it's being completed. Xcdroast simply works & had 1 obscure security problem, now fixed. The problem with other burners is that they demand sound software, which I have no need for on my system, so I want to go on using the simple reliable app which has always got the job done. > No one is trying to remove Flubox, which had a release in 2015 > and had activity in its git repo as recently as last week. Not yet, they're not, but changes have been minimal for a long time. Krusader had an update in Git 24 hours ago, but the latest version is 3 years old. It's an excellent file manager, which I rely on regularly, but it's only "semi-alive" upstream. > Xcdroast for example, hasn't had a release in 8 years > and I can't even find its source tracker in Sourceforge. > These are the sorts of packages I think are not great to have in the tree > and for Xcdroast, if I were treecleaner lead, I would probably advocate > for working around the security bug (dropped SUID) instead of removal. > I do not necessarily want to remove software that people are using. So you are saying -- perhaps correctly -- that the problem here was not bad tree-cleaning policy, but incompetent tree-cleaning (I don't mean to criticise whoever did it : I make mistakes too). > That being said, I do not want unmaintained software in the tree either. This is not black vs white : a package can be 'lightly maintained', ie there's no regular maintainer, but equally there are no real problems & those which exist could be fixed fairly easily, if need be. That was the case with Xcdroast & earlier with Nethack. So another suggestion from me for Gentoo policy -- like recognising different categories of user -- is to create a new class of pkg called 'lightly maintained', which would include older but still useable software, which is no longer being actively developed, as it is largely complete. >> (2) There are 3 basic categories of Gentoo user : >> (a) server-farm managers, (b) multi-user sysadmins, (c) single-users. >> Each of these have different security concerns : >> (a) need to be alert to the many threats from all over the Internet ; >> (b) need (among other things) to prevent privilege escalation ; >> (c) are largely immune to those types of threat, >> though a few of the Internet variety can affect them. > I appreciate the argument you are trying to make, > but I do not think it should drive Gentoo Security Policy. Surely, it's very relevant for the reasons I have listed : eg I don't have to worry re privilege escalation, as I can escalate my privileges anytime I want by opening a root terminal (no-one else has physical access to my machine). > As my security manager used to say "security is not a race to the bottom". Obviously true, but that's not in question here. > Suppose : > 1) It appears that no Gentoo developers want to maintain a package. > 2) The software package has no active upstream. > 3) The software has open bugs. > 4) We mask it for years, because it has bugs and no active maintainer. > 5) No one volunteers to proxy-maintain the software. > You advocate we keep such software in the tree, > because users are "too busy" or "too old" to maintain it themselves ? Yes, I do, depending on how serious the bugs are : in the cases of Xcdroast + Nethack, they were not serious on single-user systems. Nor do I accept your scare quotes : most users are too busy to be able to become developers nor should they be asked to ; the average age of Gentoo developers seems to be around 30 years, so anyone 50 years old or more would find the job that much more challenging. >> (b) there needs to be a developer role 'General Maintainer', > In an ideal world, the tree would be full of properly maintained packages. > There are > 1500 packages in the tree in the 'maintainer-needed' state : > see https://qa-reports.gentoo.org/output/maintainer-needed.html > Even if we allocated 100 packages per developer, > this "General Maintainer" team would be 15 developers strong > and one of the largest projects in Gentoo. To compare, > the Treecleaner project is 7 people, the Security project is 10 people. If there were a class of packages which were 'lightly maintained', a developer could keep an occasional eye on > 100 & 7 devs could cover nearly half of the total. Xcdroast hasn't needed attention since the bug report in 2010 : it was only over-hasty behaviour by a tree-cleaner which created a problem (again, I'm not targeting anyone for criticism) ; Krusader hasn't had a new version since 2013 . That will be true of more + more pkgs as the free-software galaxy matures. > This is in fact part of the rationale of the Treecleaner project itself. > Ebuilds require maintenance (eclass updates, new EAPIs, etc) > and someone has to do this work > or we end up with 6 supports EAPIs in the tree. > This is one reason why packages that are unmaintained are removed : > we do not have 15 spare humans to clean up the unmaintained packages, > so we remove them when it is feasible to do so. No-one has been doing any such maintenance on Xcdroast or Krusader, but they go on doing their useful jobs for a number of Gentoo users. A 'lightly maintained' pkg might get attention every year or two typically. Thanks for your prompt + intelligent response. I hope my thoughts from user-land will help to improve Gentoo policies. -- ========================,,============================================ SUPPORT ___________//___, Philip Webb ELECTRIC /] [] [] [] [] []| Cities Centre, University of Toronto TRANSIT `-O----------O---' purslowatchassdotutorontodotca
