[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Considerations for 'xmms' removal from Debian

On Sun, 08 Jul 2007 11:48:39 +0100
Roger Leigh <rleigh@whinlatter.ukfsn.org> wrote:

> Kapil Hari Paranjape <kapil@imsc.res.in> writes:
> > 	* There are a number of other GTK 1.2 packages.
> GTK+ 1.2 (and GLib 1.2) were abandoned upstream over *six years* ago.
> It's rather probable (nay, doubtless) that there are unidentified and
> unfixed security problems with these libraries.

No doubt.
> Given that upstreams have had over five years to port their code, it
> is time to drop dead code that is not maintained, IMO. 

I suspect that many of the packages still dependent on gtk1 now were
already dead upstream before gtk2 became available. However, a dead
upstream is different to being unmaintained in Debian. The Debian
maintainer has the opportunity to request removal of a package if the
lack of upstream development is a problem. Many do not feel that a dead
upstream is actually a problem.

> It's not like
> there isn't huge amounts of compatibility code in GTK, GDK and GLib to
> ease such porting (I've used it myself).  A minimal port is often just
> a bunch of regex search and replace operations, with some small amount
> of rewriting.

Such a minimal port is hardly worth doing. It is possible to migrate
from glib1 to glib2 in such a way (see #359299) but it is much harder
to go from gtk1 to gtk2. I've been involved in three gtk1->gtk2 ports,
one v.large (GnuCash), one v.small with a dead upstream (quicklist) and
one where a "minimal port" (the last act of the old upstream) combined
with an ill-advised RCS branch has left a horrible mess of spaghetti
code. I'm not sure if the third will ever be a sane Gtk2 application.

The Quicklist gtk2 port is in experimental as a pre-release but to do
that I have had to refactor >75% of the codebase just to make the old
gtk1 interface remotely usable with Gtk2 widgets. There is quite a lot
more work to do to make the port stable. Porting from gtk1 to gtk2 is
not trivial, even for small gtk applications using default gtk1 widgets.

> Note that this is irrespective of how good XMMS is or is not.  The
> libraries it depends on are dead, and they should have upgraded years
> back.

$ apt-cache rdepends libgtk1.2 | grep -c -v "^lib"

I'm not sure Debian needs to throw out over 300 applications before
Lenny. True, most of those are dead upstream - AFAICT GnuCash was the
last active upstream to make it to gtk2 - but although these packages
use old libraries that have an undoubted *potential* for security
problems, in the absence of actual bug reports is it really worth
dropping so many packages?

Is a dead upstream sufficient cause to drop a package from Debian in
the absence of any RC bugs? Is a dependency on libgtk1.2 going to *be*
an RC bug for Lenny? It seems a very big step, IMHO.


Neil Williams

Attachment: pgpoO9ttUcExd.pgp
Description: PGP signature

Reply to: