On 2026-01-13 09:46:53 -0800, Josh Triplett wrote: > Jonathan Dowland wrote: > > On Fri Jan 9, 2026 at 10:14 AM GMT, Emilio Pozuelo Monfort wrote: > > > If GTK+2 is dead upstream for so long, then it'd be a disservice to > > > our users to keep shipping it in new releases. > > > > Can you expand on why? > > Because *in general* software that's dead upstream is a hazard; it'll > get no upstream maintenance, no bugfixes, no security updates, no > updates to use newer versions of *other* libraries (which means it may > slow or block transitions), etc.
In the case of GKrellM + GTK2, I don't know any bug and there are no new features (thus no risk to introduce new bugs), so there is no need for bug fixes, security updates and updates to newer versions. One advantage is that GTK2 has had many users, even after the library got frozen. So it is probably quite robust. It should be dropped only if one day it becomes unusable and unfixable. On the other hand, I had reported hundreds of bugs in other software, some of them open for many years, some of them with security implications, with often no attempts to fix them. And if you care about removing old software, why not start with rplay? It has been dead upstream since 1999! The code is horrible, with integer overflows, no checks of malloc() return value, etc. An exploitable security issue was found following my bug report <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118224>, which was closed after this vulnerability got fixed, but I still don't have any trust in the code. Note that only 2 packages depend on librplay3: fvwm and vtwm, which are both window managers and no real reason to depend on such an audio library. For fvwm, it is apparently optional (enabled by the configure script). I don't know about vtwm. > If someone wants to keep it alive, by all means they should do so, but > in that case, they should fork it upstream and give it a name (e.g. > "GTKlassic"), and *maintain an upstream for it*, independently of any > distribution. Debian packaging shouldn't be the defacto home of an > otherwise dead project. I agree on that (possibly except for a new name, unless this is really necessary). I suppose that other distributions might want to keep it (or bring it back), and it would be a benefit for users to have a single upstream. -- Vincent Lefèvre <[email protected]> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
