[Mageia-dev] Package drop request: ruby-ParseTree

Remy CLOUARD shikamaru at shikamaru.fr
Tue Dec 11 07:38:28 CET 2012


On Mon, Dec 10, 2012 at 11:41:38PM +0000, Colin Guthrie wrote:
> So what if we provide this library and someone uses it as a component in
> some other app they write.
> 
> They likely have an expectation that it will continue to be supported
> and that any security vulnerabilities in it are detected and fixed.
> 
> If we don't have a mechanism to remove (or at least very strongly
> recommend to remove) package we no longer support, then we are leaving
> users vulnerable.
> 
> The orphans system is fine, but it's certainly not as strong a mechanism
> as I think is needed.
Well, that would be very lazy from that person not to test the app and
release it. Actually, the ruby community has a strong focus on test
driven development. Since that library is broken with ruby 1.9, it won’t
pass the first test. So no worries here. Actually, I’m pretty sure it
couldn’t even stay on the machine just because it is linked against
libruby.so.1.8, and we provide libruby.so.1.9.

In the ruby policy I added as a requirement a
Requires: ruby(abi) = version
I’m pleased to see this is now an automatic thing, meaning that a
package that’s doesn’t build won’t stand a chance to stay on people’s
machine.

That being said it still requires human intervention to remove it from
the mirrors.

To me this is a rather sane way to deal with the problem, because it’s
self-explanatory: the package can’t stay because its requirements are
not met. If you add it to task-obsolete, you provide no reason to the
user, most of the time the explanation is only a comment in
task-obsolete’s spec file.

Regards,
> 
> Col
> 
> -- 
> 
> Colin Guthrie
> colin(at)mageia.org
> http://colin.guthr.ie/
> 
> Day Job:
>   Tribalogic Limited http://www.tribalogic.net/
> Open Source:
>   Mageia Contributor http://www.mageia.org/
>   PulseAudio Hacker http://www.pulseaudio.org/
>   Trac Hacker http://trac.edgewall.org/
-- 
Rémy CLOUARD
() ascii ribbon campaign - against html e-mail
/\ www.asciiribbon.org - against proprietary attachments


More information about the Mageia-dev mailing list