On Sat Jan 10, 2026 at 10:17 PM GMT, Gioele Barabucci wrote:
* MARKED AS LEGACY: d/README.source explicitly describes the legacy status of this package.
We have Section: oldlibs for that (and gtk2 is already in it)
* SECURE: Known security issues must be fixed in unstable and stable in X days, or the FTP masters will permanently remove the library. (This may imply that the team is now the new upstream.)
This is ambiguous (do you mean known security *fixes* must be applied, or an unpatched vulnerability must have a fix written too?) and is also a stronger requirement than has ever been applied to any component within Debian.
* NO BURDEN: No modifications to the builders nor specific outdated versions of compilers/runtime environments are required to build the binary packages.
What does outdated mean? It sounds like the proposed rules are leaking out to other packages. Say gtk+2.0 build broke with a future gcc-N, and an explicit build dependency was added to gcc-M. Is this allowed? Does it depend if gcc-M is already still in the archive? Does it depend if other packages also explicitly depend on gcc-M? What if they stop? What if nothing except gtk+2.0 explicitly depended on gcc-M: would it be forced out of the archive too?
-- 👱🏻 Jonathan Dowland ✎ [email protected] 🔗 https://jmtd.net
