[Mageia-dev] Package removal proposal

Sander Lepik sander.lepik at eesti.ee
Sun Aug 26 16:33:22 CEST 2012


Sander

26.08.2012 17:15, Colin Guthrie kirjutas:
> 'Twas brillig, and Johnny A. Solbu at 25/08/12 02:42 did gyre and gimble:
>> On Saturday 25 August 2012 02:33, Olivier Thauvin wrote:
>>> For me obsolete should be reserved for replacements or rename, nothing
>>> more.
>> I agree on this.
> So in two years time, we add a new package with the same filename as one
> of these old package, we may get some very strange edge cases on package
> upgrades/installer because keeping these old, no longer shipped packages
> installed is still "supported" (of course this could happen even if the
> old package were obsoleted properly, due to package install order on
> upgrades)
>
> What about when there are security issues in the old package? Do we just
> drop it and then wash our hands of the whole affair and don't give a
> crap when a user's system is completely compromised?
>
> In my opinion we should run a tight ship. If users want to use something
> we no longer ship, then they still have several choices:
>  1. Don't install task-obsolete and add it to their skip.list.
>  2. Do a local compile+install into /usr/local of the software in question
>  3. Package it and become a contributor (assuming the reason for
> dropping the package was due to a lack of maintainer rather than a
> specific desire/reason (i.e. legal))
>
> For all of these options the user is both informed and can make a very
> clear, concious choice about how they want to proceed and know the
> consequences of doing so.
>
>
> Obsoletes in packages which genuinely replace the old one seem
> reasonable and uncontroversial.
>
> Col
>
What about new feature. Some txt file (containing obsoleted package per line and probably
can be signed somehow) in the mirrors that can be updated by sysadmins. During update urpmi
will check this file and will compare with local file where user has marked what (s)he wants
to do with those packages (<obsoleted package> <status: keep/remove> per line). If urpmi
finds package that hasn't been listed in local file it will ask the user what to do with it
+ will show warning that all possible security problems are not our problem anymore.


More information about the Mageia-dev mailing list