On Sun, 08 Jul 2007 11:48:39 +0100 Roger Leigh <rleigh@whinlatter.ukfsn.org> wrote: > Kapil Hari Paranjape <kapil@imsc.res.in> writes: > > * There are a number of other GTK 1.2 packages. > > GTK+ 1.2 (and GLib 1.2) were abandoned upstream over *six years* ago. > It's rather probable (nay, doubtless) that there are unidentified and > unfixed security problems with these libraries. No doubt. > Given that upstreams have had over five years to port their code, it > is time to drop dead code that is not maintained, IMO. I suspect that many of the packages still dependent on gtk1 now were already dead upstream before gtk2 became available. However, a dead upstream is different to being unmaintained in Debian. The Debian maintainer has the opportunity to request removal of a package if the lack of upstream development is a problem. Many do not feel that a dead upstream is actually a problem. > It's not like > there isn't huge amounts of compatibility code in GTK, GDK and GLib to > ease such porting (I've used it myself). A minimal port is often just > a bunch of regex search and replace operations, with some small amount > of rewriting. Such a minimal port is hardly worth doing. It is possible to migrate from glib1 to glib2 in such a way (see #359299) but it is much harder to go from gtk1 to gtk2. I've been involved in three gtk1->gtk2 ports, one v.large (GnuCash), one v.small with a dead upstream (quicklist) and one where a "minimal port" (the last act of the old upstream) combined with an ill-advised RCS branch has left a horrible mess of spaghetti code. I'm not sure if the third will ever be a sane Gtk2 application. The Quicklist gtk2 port is in experimental as a pre-release but to do that I have had to refactor >75% of the codebase just to make the old gtk1 interface remotely usable with Gtk2 widgets. There is quite a lot more work to do to make the port stable. Porting from gtk1 to gtk2 is not trivial, even for small gtk applications using default gtk1 widgets. > Note that this is irrespective of how good XMMS is or is not. The > libraries it depends on are dead, and they should have upgraded years > back. $ apt-cache rdepends libgtk1.2 | grep -c -v "^lib" 316 I'm not sure Debian needs to throw out over 300 applications before Lenny. True, most of those are dead upstream - AFAICT GnuCash was the last active upstream to make it to gtk2 - but although these packages use old libraries that have an undoubted *potential* for security problems, in the absence of actual bug reports is it really worth dropping so many packages? Is a dead upstream sufficient cause to drop a package from Debian in the absence of any RC bugs? Is a dependency on libgtk1.2 going to *be* an RC bug for Lenny? It seems a very big step, IMHO. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpkJA55nvAAE.pgp
Description: PGP signature