>>>>> "BdG" == Ben de Groot <yng...@gentoo.org> writes:

BdG> On 14 March 2010 06:09, James Cloos <cl...@jhcloos.com> wrote:
>>>>>>> "BdG" == Ben de Groot <yng...@gentoo.org> writes:
BdG> Abandoned packages do not belong in the portage tree.
>> Nonsense.  That attitude only servers to harm the user base.

BdG> You're wrong. It serves to protect our users from potentially
BdG> broken and vulnerable packages.

Any user who needs *that* much hand-holding will use a binary dist,
not a source dist.

BdG> It ascertains a Quality Assurance level that we and our users can
BdG> be comfortable with.

No, it does not.  The user base for a build-locally-from-source dist
wants wider access, not just a few packages.  

>> Leaving them in does not.

BdG> It does, as it opens the users up to unknown security
BdG> vulnerabilities and increasing brokenness as bugs are
BdG> not addressed.

Removing the ebuilds does not help that even one bit.  IF they do not
use those programs, they are not harmed even if there is some (real)
vulnerability -- and don't forget that most of the vulnerability claims
are for things which will never happen in practice.  (Which is not to
suggest that upstreams shouldn't code defensively, just that not every
warning is critical enough to loose sleep over.)

BdG> If Gentoo would stop caring about QA, then we'd be wasting
BdG> our time working on making this a better distro.

Removing ebuilds is not in itself QA.  It does not in itself improve
quality.  There has to be a real reason to remove.

Removing a leaf package which has been replaced by its upstream, whether
by a simple rename or by a complete re-implementation or anywhere
inbetween, is a good call.

Removing a widely-used, well-designed and well-managed library and
everything which depends on it, just because upstream has stopped
dealing with bug reports against that version, is not.  The likelyhood
that any significant issues remain in qt3 is small.  The relevant apps
work, have been working and will continue to work.

I will not begrudge the kde team for wanting to support only kde4.

Dropping kde3 in favour of kde4 is just an upgrade.

But dropping qt3 even though packages exist which depend on it and have
not been ported to qt4 (and it *is* a /port/, *not* an /upgrade/) is
simply the wrong thing to do.

It is also OK to mask -- but not necessarily remove -- a package with a
truly exploitable bug; moreso if the package is itself security-related.
That means real exploits in the wild, real attempts to do harm.

The so-called qa team has been acting too robotically.  It needs to show
more common sense and better judgement.  Worry about the real problems,
not the trivial.  Work to fix packages, not to murder them.

James Cloos <cl...@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply via email to