paul kölle wrote:
José González Gómez schrieb:
I would like to make a proposal here. What if no longer mantained
ebuilds were marked but not deleted? Let's say you have _x86 in
KEYWORDS for ebuilds/packages no longer mantained, that emerge is
aware of that and can inform us of this and that those ebuilds are
mantained in the portage tree for, let's say, a year WITH NO SECURITY
BACKPORTS on them. This would be kind of a end of life notice that
gives you some time to react. This way you still would be able to use
the ebuild at your own risk, and this wouldn't represent much extra
work load for the Gentoo devs, as the deletion process could be
automatic with the use of some scripts. What do you think?
You need package manager support for a new KEYWORD. The simplest
solution IMO is setting up a "server" overlay on overlays.gentoo.org.
That could be used for keeping old packages around and adding new
packages/features that could be interesting in a server environment.
I am not sure about it, but I think that there are no GLSAs published
for deleted packages, so you would effectively not know if there was a
security problem. By the nature of how GLSAs are written, it might still
be that your version is marked as being vulnerable. (Most of the time it
is "<specific-version")
Also, if you update only once in a while, and just for GLSAs, there will
be a lot of depencies which also would _have_ to be updated. I think
that there are simply not the ressources there, but on the other hand,
there are quite a few using gentoo in larger environments, so most
likely they are doing exactly what most people want, and maybe some
process might be initiated so that it would become easier for them to
give their knowledge back to the community.
On the other hand have I never tried to keep a somewhat stable
environment, so I am not absolutely sure of the work involved. But I
think that gentoo being a somewhat fast-moving target, it will be more
work than with binary distributions like debian, where there is a single
frozen point which is called stable and there are just security updates
for those exact packages. If you start doing that with the 10th of
versions available for about everything in portage, it has to be a lot
more work. Well, would be easier to discuss this in rl.
Greetings,
Jonas
--
[email protected] mailing list
