Re: lpr/lpd

To: debian-devel@lists.debian.org
Subject: Re: lpr/lpd
From: Simon Richter <sjr@debian.org>
Date: Fri, 22 Sep 2023 23:07:39 +0900
Message-id: <[🔎] 5bf6edbe-ad6b-dee5-bbf7-5fcdcb4e94fe@hogyros.de>
In-reply-to: <[🔎] 1695363824@msgid.manchmal.in-ulm.de>
References: <[🔎] 9f7f138d-c294-10eb-d1ee-a2bbb0dadca7@alteholz.de> <[🔎] 1694972972@msgid.manchmal.in-ulm.de> <[🔎] 87r0mw1tuq.fsf@hope.eyrie.org> <[🔎] 0d24bbfa-9b63-296b-f5fa-9502bb8daf74@debian.org> <[🔎] 87led3ntuu.fsf@hope.eyrie.org> <[🔎] 1695363824@msgid.manchmal.in-ulm.de>

Hi,

On 9/22/23 16:41, Christoph Biedl wrote:

That's not surprising: lpr is an old technology, it may be simple but it
has quirks. People moved on, and if they cared a little, they let go.

Erm. We're talking about printers here. lpr is the protocol with thefewest quirks.

I agree that the desktop users have moved on, and they will move on towhatever we present them as default next.

But I also think there are quite a few installations that still usethese packages, and where people don't have much of an issue with thepackages being effectively NMU-maintained, because their system works,and change only brings uncertainty -- especially if it is change towardssomething that is "actively" maintained and constantly updated.

My suspicion is that a lot of these installations will have a heavyamount of homebrew scripting added to them, so supporting them from anewer printing system would mean creating a bug-compatible emulation,which we can all agree is a forever maintenance burden unless you alsohave a plan to migrate these users to a legacy-free environment.

     Do we provide our users a good service if we keep such zombies alive
     for such a long time?

Yes and no. We're providing a better service than pulling the rug underthe users, but we could do better by communicating that these packagesare in need of new maintainers instead of waiting for them to bit-rot toa point where we have an excuse to remove them -- because all we'redoing that way is justify the rug pull, but the impact for the usersisn't minimized.

Plus, most of that code is in C, and I take the liberty to state they
all have security issues. They are just unknown, because no one bothered
to take a closer look. But these bugs exist simply because twenty and
more years ago, secure programming wasn't that common.

It is simple, straightforward code with a service record of over twentyyears, and I remember that we had security researchers back then andthere were several advisories on bugtraq for lprng.

Without an external limitation (mostly specific hardware) it's hard to
draw a line when it's obviously the time to remove near-dead packages,
at least from the stable releases. I don't have a good idea either what
to do here.

Same. I think that it cannot be solved on a per-package basis, insteadwe might need infrastructure.

One thing I'd think might help would be a tag in the package databasethat is derived from WNPP status, which would allow the summary outputat the end of installs also list packages that are installed that arecurrently in RFA or O state.

I believe we used to have a tool for that in Debian, but almost no onehad it installed because it had additional overhead, making it pointless.


   Simon

Reply to:

Follow-Ups:
- Re: lpr/lpd
  - From: "Theodore Ts'o" <tytso@mit.edu>
- Re: lpr/lpd
  - From: Paul Wise <pabs@debian.org>

References:
- lpr/lpd
  - From: Thorsten Alteholz <debian@alteholz.de>
- Re: lpr/lpd
  - From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
- Re: lpr/lpd
  - From: Russ Allbery <rra@debian.org>
- Re: lpr/lpd
  - From: Simon Richter <sjr@debian.org>
- Re: lpr/lpd
  - From: Russ Allbery <rra@debian.org>
- Re: lpr/lpd
  - From: Christoph Biedl <debian-devel@lists.debian.org>

Prev by Date: Re: debian/copyright format and SPDX
Next by Date: Bug#1052461: ITP: filecheck -- Attempt to reimplement LLVM's FileCheck using Python.
Previous by thread: Re: lpr/lpd
Next by thread: Re: lpr/lpd
Index(es):
- Date
- Thread