[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fixed release dates are hurting quality

Andrey Rahmatullin <wrar@debian.org> writes:
> On Sun, Feb 07, 2021 at 10:25:26AM -0800, Russ Allbery wrote:

>> To me, the rewards of keeping the orphaned packages clearly outweigh
>> the risks.  If the package is actually broken, presumably sooner or
>> later someone will notice and report that as a bug, and we can then
>> take appropriate action.

>> The exception, I suppose, is that we probably shouldn't keep shipping
>> packages that are orphaned and that no one is using, just on clutter
>> grounds, but that seems like a smaller problem that would be
>> better-handled by other mechanisms than a blanket rule for unmaintained
>> packages.

> There are also other, though I think rare, considerations, like security
> problems.

Yes, security is a worry, and security problems in orphaned packages fall
primarily on the security team instead of on the maintainer.  If there are
packages of concern to the security team from a supportability standpoint,
I certainly would support them in asking for them to be adopted or
removed.

Thankfully, most packages in the archive don't tend to have meaningful
security problems, in the sense that they don't listen to the network and
don't have unusual privileges, so are only likely to cause problems if
they're somehow run on untrusted input.  (Which was probably your point
about being rare.)

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>
Reply to: