Dne 11. 02. 26 v 18:31 Daniel P. Berrangé napsal(a):
On Wed, Feb 11, 2026 at 05:48:52PM +0100, Vít Ondruch wrote:How about policy:"When there is the-new-hotness ticket in Bugzilla unresolved for more then N releases, orphan the package" Although, if only maintainer is allowed to enable the monitoring, that might not work. But I think we should also consider to have the monitoring enabled for all components.IMHO before we talk about policy for dropping existing "old" software in Fedora, we should first consider policy for the initial package submission. Or more generally What does Fedora want to be open to shipping ? Everything, or a selectively curated subset ? In initial submission, we are extremely permissive in what we allow to be added to Fedora. If we want to tighten rules in order to remove stuff from the distro, we should apply those same rules when stuff is first proposed to the distro, so we have a consistent vision of what Fedora wants to ship. AFAIR, in package review guidelines we don't require the upstream to be alive; we don't require to ship the very latest upstream version; we don't forbid shipping multiple (old) versions in parallel with new versions; etc. These things are merely "best practice" to aid ongoing maint. The hard blockers for adding stuff to Fedora have been limited to the Legal realm (unacceptable licensing, patent concerns). The classic example of how we allow anything to remain, no matter how ancient or dead upstream, is that we still ship GTK 1, GTK 2, GTK 3 and now GTK 4. GTK 1 is almost 25 years old now and IIUC considered dead by upstream for that whole time, since GTK 2.0 arrived.
These are good examples. However, I believe these packages are maintained. Just look at the https://src.fedoraproject.org/rpms/gtk2/commits/rawhide activity.
But I think this was aimed more at the situation where somebody wants X in Fedora, then realizing it actually requires A, B, C where C depends on Q, L. And after they get Q, L into Fedora, the live moves on and they never get to X, while Q, L are left in Fedora sitting around.
Vít
This probably ties into ongoing debate/concern around Fedora shipping stuff without addressing CVEs in any consistent / timely manner. As software ages it becomes increasingly burdensome to address CVEs in Fedora, as upstreams focus on providing fixes only for newer versions. At some point though we get the "illusion of increased security", as people stop even thinking about the old version at all, so the versions aren't even tagged with CVEs that do apply, and researchers stop looking for the flaws that almost certainly will exist in the old code. I don't know what the right answer here is. I can understand the motivation to ship old software if it is still functional, but there are clear downsides at the same time. With regards, Daniel
OpenPGP_signature.asc
Description: OpenPGP digital signature
-- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new
