On Tue, Jun 09, 2026 at 04:28:05PM +0200, Sylvain Beucler wrote:
> Hi,
>
> On 09/06/2026 11:32, Holger Levsen wrote:
> > On Mon, Jun 08, 2026 at 09:14:35PM +0000, Moritz Mühlenhoff wrote:
> > > It's marked as bogus in the security tracker. I don't think we should
> > > start declaring random packages which are dead upstream as unsupported,
> > > that won't scale and is also not the right course of action. We have
> > > 100s of other packages which no longer have an active upstream and
> > > if there's ever a genuine security issue for ply we can look into
> > > fixes ourselves.
> >
> > agreed and +1
>
> Would it make sense to mark such packages as "limited support"?
> (not merely lowly active or abandoned, but officially retired and without
> compatible replacement/fork, especially with rdeps.)
Not really, "limited support" is used for different things.
> They can only get a "best effort" support, notably without upstream to
> sanction our fix, which isn't on par with regularly supported packages.
> This also hints that something need to change to get full support again.
There's other mechanisms to deal with it, e.g. removing a package in favour
of alternatives if it becomes to burdensome.
Cheers,
Moritz
