On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mike...@gmail.com> wrote: > > For security's sake, even mature software needs, at minimum, routine auditing. > Unless someone's doing that work, the package should be considered for > removal. (Call that reason # π, in honor of TeX.) >
Are you suggesting that we should ban any package from the tree if we don't have evidence of it having recently being subjected to a security audit? We might literally have 3 packages left in the tree in that case, probably not including the kernel (forget the GNU/Linux debate, we might be neither). The fact that a project gets 47 commits and 100 list posts a week doesn't mean that it is being security audited, or that security is any kind of serious consideration in how their workflow operates. I tend to be firmly in the camp that a package shouldn't be removed unless there is evidence of a serious bug (and that includes things blocking other Gentoo packages). If somebody wants to come up with a "curated" overlay or some way of tagging packages that are considered extra-secure that would be a nice value-add, but routine auditing is not a guarantee we provide to our users. The lack of such an audit should not be a reason to treeclean. -- Rich