Re: MBF: Removal of GTK2 from forky

["Jonathan Dowland" <jmtd@debian.org>]

On Sat Jan 10, 2026 at 10:17 PM GMT, Gioele Barabucci wrote:
> * MARKED AS LEGACY: d/README.source explicitly describes the legacy 
> status of this package.

We have Section: oldlibs for that (and gtk2 is already in it)

> * SECURE: Known security issues must be fixed in unstable and stable 
> in X days, or the FTP masters will permanently remove the library. 
> (This may imply that the team is now the new upstream.)

This is ambiguous (do you mean known security *fixes* must be applied, 
or an unpatched vulnerability must have a fix written too?) and is also 
a stronger requirement than has ever been applied to any component 
within Debian.

> * NO BURDEN: No modifications to the builders nor specific outdated 
> versions of compilers/runtime environments are required to build the 
> binary packages.

What does outdated mean? It sounds like the proposed rules are leaking 
out to other packages. Say gtk+2.0 build broke with a future gcc-N, and 
an explicit build dependency was added to gcc-M. Is this allowed? Does 
it depend if gcc-M is already still in the archive? Does it depend if 
other packages also explicitly depend on gcc-M? What if they stop? What 
if nothing except gtk+2.0 explicitly depended on gcc-M: would it be 
forced out of the archive too?

--

👱🏻	Jonathan Dowland
✎	 jmtd@debian.org
🔗	https://jmtd.net