Date: Mon, 23 May 2011 19:43:57 +0200 From: Matthias Andree <mandree@FreeBSD.org> To: freebsd-ports@freebsd.org Subject: Re: ports/155759 - bad reasons for ports removal -- again Message-ID: <4DDA9CDD.4080807@FreeBSD.org> In-Reply-To: <4DDA7E4A.4000306@aldan.algebra.com> References: <4DD9CC82.3020609@aldan.algebra.com> <4DDA3A0E.4070209@FreeBSD.org> <4DDA6B75.4020409@aldan.algebra.com> <4DDA7C11.6020907@FreeBSD.org> <4DDA7E4A.4000306@aldan.algebra.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 23.05.2011 17:33, schrieb Mikhail T.: > On 23.05.2011 11:24, Matthias Andree wrote: >> discontinued more than ten years ago, but in the case of Berkeley DB >> 2.7.7, superseded as well. > > These -- being "too old" (BSD's hack is much older, BTW) or "superseded" > -- aren't valid reasons in my opinion. As long as a package keeps > building -- and there were no problems with it, when db2 was removed -- > it should not be deleted. Ever. Even the maintainer (who does "know > best", how to maintain it) can't remove it -- only disown it. Mikhail, The FreeBSD ports collection isn't a museum of decrepit and superseded ports. Use its CVS history for that purpose. "Superseded" is a very valid reason - it brings in bug fixes that weren't backported, which is particularly true for Berkeley DB. Keeping a port around because it "keeps building", but has no users doesn't serve any purpose, and is no statement of quality, on the contrary. And "there were no problems" doesn't prove the absense, it only proves that the single neowebscript user hasn't seen any for his particular use case. With no users left, it's easy to argue "no problems with it" -- because no-one is left to search for or find them. I've fixed a remote root exploit in an earlier fetchmail version, and that I found through a code audit. Still, "there were no problems with it". Oops, y0u'Re pwn3d? No thanks. Let's stick to the library versions that are in everyday use. I am not saying that Berkeley DB 2.7 were insecure or vulnerable, but I am saying that nobody is looking, because newer versions are available. Correctness is more than "it appears to install". We haven't talked about proper operation in the face of accidents (major fixes in db41 through page checksumming and db44 through enhanced crash detection), random or malicious input, and I have yet to see where you've audited the ChangeLog of BerkeleyDB 3.0 to 5.1 for non-backported fixes that might affect your application. Besides that, we're only having the discussion because Oracle keeps the old unfixed distfiles around. Given you haven't addressed either technical reason, neither in April, nor now, but only stated your (valid) opinion: Can you now please stop bike shedding? Thank you. Best regards, Matthias
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4DDA9CDD.4080807>