Re: removal instead of orphaning?

To: debian-devel@lists.debian.org
Subject: Re: removal instead of orphaning?
From: Guus Sliepen <guus@debian.org>
Date: Fri, 26 Aug 2016 21:52:45 +0200
Message-id: <[🔎] 20160826195245.GV7169@sliepen.org>
Mail-followup-to: Guus Sliepen <guus@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] db0d4fa9-f09f-d1aa-8177-e91ace6c9e8e@tilapin.org>
References: <[🔎] 13ad8df3-ae4c-a17a-b6e2-aa8ac975d9f4@debian.org> <[🔎] 20160826170152.GT7169@sliepen.org> <[🔎] db0d4fa9-f09f-d1aa-8177-e91ace6c9e8e@tilapin.org>

On Fri, Aug 26, 2016 at 07:43:20AM -1000, David Prévot wrote:

> > As long as there are no RC bugs filed for the
> > orphaned packages, I don't see any a direct reason to remove them.
> 
> What about, e.g., security issues: if nobody cares about maintaining
> code, whether dormant or dead upstream, or simply no maintainer to
> include security fixes or upload new upstream versions, then I believe
> it may cause direct harm to the project.

Perhaps. But consider this: people who don't need a package don't
install it. Those who do need it do. If Debian, for whatever reason,
does not provide the package they need, they will have to download it
themselves and install it on their machine. Which for them will take
more time and effort than apt-get install would. And then for sure they
will not get automatic updates, and I don't think that most end-users
will start tracking security fixes and new upstream versions themselves,
unless they really need new features. So while Debian the project can
wash its hands of the package in question, the harm done to the end-user
is still the same or maybe even larger.

> The fact that nobody cared enough to track issues and eventually file
> RC-bugs may not be the best way to claim that a package is good
> enough.

I'm quite sure there are many packages with active maintainers for which
nobody cares enough to file RC-bugs either. Are you actively checking
for security problems in all of your packages? If you haven't automated
it in some way, do you manually check for new versions and upstream bug
reports every day or week?

I personally find the criterion "package is orphaned" too arbitrary to
say it should be removed.

> > If no-one used the package, then sure, the package is really useless.
> > But if at least some people are using it, it has value.
> 
> Maybe it is worth considering alternative instead of using unmaintained
> code, or stepping up in proper maintenance, rather than leaving
> unaudited code in some of our user machines.

Which fraction of code in Debian with active maintainers is actually audited?

-- 
Met vriendelijke groet / with kind regards,
      Guus Sliepen <guus@debian.org>

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: removal instead of orphaning?
  - From: Paul Gevers <elbrus@debian.org>

References:
- removal instead of orphaning?
  - From: Paul Gevers <elbrus@debian.org>
- Re: removal instead of orphaning?
  - From: Guus Sliepen <guus@debian.org>
- Re: removal instead of orphaning?
  - From: David Prévot <david@tilapin.org>

Prev by Date: Re: removal instead of orphaning?
Next by Date: Re: removal instead of orphaning?
Previous by thread: Re: removal instead of orphaning?
Next by thread: Re: removal instead of orphaning?
Index(es):
- Date
- Thread