> On 16. Mar 2024, at 10:45, void <v...@f-m.fm> wrote:
> On Sat, 16 Mar 2024, at 08:28, Miroslav Lachman wrote:
>> For vulnerabilities, there is VuXML and pkg audit, not removing
>> vulnerable port from the tree.
> I'm talking about *moving* them to a *different* tree, with different
> priorities, so preserving choice while implicitly informing of risks,
> and decreasing the maintenance burden to those running port infra.
> I'd imagine some threshold would need to be decided on.
>> If you are asking to remove ports without maintainer, you are asking to
>> remove 3458 ports right now, and many others depends on these
>> unmaintained ports, so the impact will be much bigger.
>> Some unmaintained ports are almost vital - for example without
>> virtual_oss you cannot use Bluetooth headphones / speakers connected to
>> FreeBSD.
> I'm not asking to remove anything, just move to a different tree.
Yeah, it’s like after a failed investment your money is not really gone, it’s
just somewhere else.
> People could
> follow one or the other depending on their (for example) security posture.
> They'd be able to easily make an informed choice.
> --
Seriously, the “other” tree would rot in no time, this is not practical (it’s
also interesting how the discussion moved from ‘ports unmaintained upstream’ to
‘ports without a maintainer’). If the goal is to have a pure system nobody
uses, please go ahead.
I (still) think an approach where `pkg audit`warns about unmaintained ports
(and ports without an upstream maintainer), maybe even having config options
that prevent the installation of such ports - which could be on by default -
would be a way to allow people to make informed decisions without removing
these ports from the tree.