From owner-freebsd-ports@FreeBSD.ORG Thu Sep 8 23:01:25 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B9BBC106564A for ; Thu, 8 Sep 2011 23:01:25 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 114448FC0A for ; Thu, 8 Sep 2011 23:01:24 +0000 (UTC) Received: from mart.js.berklix.net (p5DCBFC25.dip.t-dialin.net [93.203.252.37]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id p88N1Mnt017539 for ; Thu, 8 Sep 2011 23:01:23 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id p88N19pg071787 for ; Fri, 9 Sep 2011 01:01:09 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.4/8.14.4) with ESMTP id p88N13iM078543 for ; Thu, 8 Sep 2011 23:01:09 GMT (envelope-from jhs@fire.js.berklix.net) Message-Id: <201109082301.p88N13iM078543@fire.js.berklix.net> to: freebsd-ports@freebsd.org From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 08 Sep 2011 18:46:31 +0200." <4E68F167.1070304@FreeBSD.org> Date: Fri, 09 Sep 2011 01:01:03 +0200 Sender: jhs@berklix.com Subject: Re: sysutils/cfs X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Sep 2011 23:01:25 -0000 Matthias Andree wrote: > Am 07.09.2011 17:53, schrieb Mikhail T.: > > > The policy -- up until fairly recently -- was to remove ports, that > > *fail to build* for a while. This made sense -- if the port remains > > unbuildable long enough, then, certainly, it is no longer in use. > > > > The /new/ policy of removing ports for much lighter offenses, such as > > having vulnerabilities, has already caused so many objections, that it > > is time to abolish it. > > I don't see ports being killed the first day they are vulnerable. They > are killed if they're dead If long term dead, fine, but if a port is deleted between releases, without prior warning variables set in Makefile at last release tag, then we deny release users any warning & any code to fix, ... Unless user hurdles the extra un-necessarily premature obstacle of CVS Attic; & as FreeBSD will have just irresponsibly annoyed user, it's a bad time to expect user to waste extra time learning FreeBSD web or CLI interface to CVS for Attic, additional to fixing a broken port and filing a send-pr. Some users may react: "Time for another BSD or Linux with more mature code management." Broken ports should first be marked BROKEN= through a release cycle so more users have time to consider a fix via send-pr. > and vulnerable though, and that's good. No. "Vulnerable" depend on user context you, & as others have already explained,it would be cheeky of FreeBSD to dictate policy to others, when we don't know their circumstances, there are Makefile variables, as others have already explained, to help the User decide, not us. > > A "maintainer timeout" will allow another developer to perform a fix. To > > completely remove the port (if that has to happen at all), a much longer > > warning is warranted. > > Which can certainly be negotiated (and an EXPIRATION_DATE shifted) if > and only if the fix is really going to happen. No. Wooly thinking, that would require commiters making judgements, & changing variables, make it easy & automatic. We've already read a better proposal for some time/ release/ macro var. Read back on the thread. > A case like "I'll fix it > after vacation" might be workable. However if you make empty promises > repeatedly noone will care. You'r assuming some rush crusade to delete, backed by time consuming analogue humans making value judgements. Not good, better leave it to the state machine of send-pr & automatic non short term var macros for expire. > > > Yes, the matter is exactly that: your wanting to remove something, that > > continues to build and remains in use. You followed, what you think is > > "an old" policy, and are getting flack from people like myself, who > > object to the (new) policy. Nothing personal... > > End users are not obliged to delete ports we've removed from the ports, Neither would you be obliged to delete eg your gcc if src/ unbundled it, but you'd find it pretty annoying after no warning, to suddenly need to look for a backup in the Attic. > so I wonder what the heck the difficulty is with "we no longer care". "We no longer care ... to be responsible, we removed it without warning." Or "We no longer care ... to give this without warning, so we added some BROKEN= / DEPRECATED= / FORBIDDEN= so users can make their Own decision in light of their circumstances." > We're not enforcing port removals on end user's computers. We're not > Google removing applications from your Android phone. We're not Apple > doing the same to your iOS phone. > > So can this discussion be ended? When the ill considered ports/ killing campaign is ceased. > If the port was in active use and > maintained, we would not be deprecating it. Not true. Example: Procmail too was proposed for the ports killing crusade. ( A FreeBSD developer who doesnt have time for ports@ was shocked when he heard that today.) > > Again. This is not about a particular port -- Julian, myself, and other > > objectors can fix /any/ port, but we can not fix them /all/, so blaming > > us for not submitting patches is wrong. > > Rather than waste your time discussing that you could go maintain and/or > fix the ports you feel should not be deprecated. Wrong. Re-Read Mikhail above "Again. This is not ..." > > We object to the new policy, because we believe, only those ports, that > > fail to build, ought to be removed. Problematic ports ought to remain in > > the tree (as long as they build) -- to make it easier for people to > > continue using them and/or offer to maintain them. If there remains a > > vulnerability, then, of course, a loud warning (with a link to the > > advisory(ies)) is in order, but the users ought to make their own > > choices and evaluations. > > They do even after port removal. Wrong. They will find the port they were going to look at has been irresponsibly removed without warning, no code left there to fix. If a port is known broken and there is > no prospect of a fix, it must go. "no prospect of a fix" is a value judgement not easily made in a rush. (& some value judgement in the ports crusade have been wrong recently). Better FreeBSD should revert largely to the pre port killing crusade way, allow release users some warning. See definition of eg BROKEN in ports/Mk/bsd.port.mk If a port is found to be broken it is Not just tossed, it is marked "BROKEN=" (hopefully for a good while, eg at least a release cycle) so release users have time to see & fix. Cheers, Julian -- Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Reply below, not above; Indent with "> "; Cumulative like a play script. Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable. http://www.softwarefreedomday.org 17th Sept, http://berklix.org/sfd/ Oct.