Eli Schwartz <[email protected]> writes: > On 3/10/26 8:18 PM, Sam James wrote: > >> OK, but what do we do about the dev-python/chardet case? How do we >> signal to people that they shouldn't bump to it and shouldn't depend on >>> =7 (the bad version)? >> >> We can rely on people "just knowing" for chardet because it's maintained >> by @python, but what do we do for maintainer-needed packages say in this >> state? > > > This seems best suited to preemptively package.mask'ing >=xyz , with a > suitable explanation. Attempting to bump to it will automatically > "fail", and it is already visibility == 0 to pkgcheck so other packages > cannot depend on it unless similarly visibility == 0.
Yes, you're right. It'll work for chardet-style catastrophic cases. It won't work for say, vim, but I'm coming to the position that we probably want at least 2 approaches for this as I've outlined in other emails (one for the egregious cases, one for users to exercise their choice). sam
signature.asc
Description: PGP signature
