On Sun, 2009-04-26 at 11:58 -0400, Martin Owens wrote: > More usefully would be to assess the bit-rot, number of bugs, any > critical or security issues which makes it dangerous. [...] > baring any security issues I see no reason why it should be removed. > (although I'm sure these things are assesed in due process)
You are correct, these things are usually assesed. However, while a package may not have any known security issues now, there's nothing to say that it doesn't have some unknown ones, and if there is no upstream then it reduces the chances that they will be found and dealt with. Usually more pressing is the question of who cares for the package. There is a cost to keeping the packages around, and while it is usually small, it is not negligible. If we keep the package in the repositories then it would be reasonable for users of the package to assume that they could get some level of support for the package. > The other option is to move these things to an "unmaintained" repository > where users can have the initiative to install things they want but also > be made aware of it's unmaintained nature (perhaps even encouraging > developers to maintain it). At least then people wouldn't have to go > digging around for PPAs. This isn't necessarily a bad idea, however I don't think I would like to see it. Firstly, there is the question of bugs, as it would still be possible to file bugs against these packages in Ubuntu, without any clue given to the user that they are using an unsupported package. This would reflect badly on the distribution. Secondly, there is the question of user awareness of what they are doing. Simply enabling the repository to install something would then lead to it not being clear which packages you install later are unmaintained. It would be possible to teach the packaging tools about this, but it would be a significant investment I fear (though one that may be useful for making third party repositories more palatable). I would think that PPAs would be better in some respects, as while we would have less control over the contents, the fact that they are more targeted is a benefit here. It would be quite easy to write a script that grabbed each removed package and uploaded it to a PPA, however it's not necessarily going to build, if it does it may not work correctly any more, and further it may be being removed for a very good reason (being terminally vulnerable to remote exploits for instance). Thanks, James -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
