[Mageia-dev] Package drop request: ruby-ParseTree
Colin Guthrie
mageia at colin.guthr.ie
Tue Dec 11 00:41:38 CET 2012
'Twas brillig, and Remy CLOUARD at 10/12/12 22:42 did gyre and gimble:
> At first I didn’t even know task-obsolete existed in the first place so
> I just followed the procedure Johnny explained. After understanding this
> mechanism I don’t feel it was the right thing to do in this case.
>
> First, because it’s a small ruby library that’s probably used by only a
> handful of people. Second, this library is removed because it’s eol’d
> upstream, but also because no other package use it. It seems to me that
> it can safely be removed from the mirrors, but removing it from boxes
> via task-obsolete seems a bit overkill to me, because that package would
> have been orphaned because nothing requires it (unless someone
> deliberately installed it, which I doubt)
>
> I’m not yet sure about this but the way I see task-obsolete is that it
> should only be used for end-applications, and even then I’m not
> comfortable with silently removing things from people’s machines, I’d
> rather use Conflicts instead.
So what if we provide this library and someone uses it as a component in
some other app they write.
They likely have an expectation that it will continue to be supported
and that any security vulnerabilities in it are detected and fixed.
If we don't have a mechanism to remove (or at least very strongly
recommend to remove) package we no longer support, then we are leaving
users vulnerable.
The orphans system is fine, but it's certainly not as strong a mechanism
as I think is needed.
Col
--
Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/
Day Job:
Tribalogic Limited http://www.tribalogic.net/
Open Source:
Mageia Contributor http://www.mageia.org/
PulseAudio Hacker http://www.pulseaudio.org/
Trac Hacker http://trac.edgewall.org/
More information about the Mageia-dev
mailing list