From owner-freebsd-ports@FreeBSD.ORG Mon May 23 17:43:58 2011 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from apollo.emma.line.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by hub.freebsd.org (Postfix) with ESMTP id 7120B1065679 for ; Mon, 23 May 2011 17:43:58 +0000 (UTC) (envelope-from mandree@FreeBSD.org) Received: from [127.0.0.1] (localhost.localdomain [127.0.0.1]) by apollo.emma.line.org (Postfix) with ESMTP id 967A223DADA for ; Mon, 23 May 2011 19:43:57 +0200 (CEST) Message-ID: <4DDA9CDD.4080807@FreeBSD.org> Date: Mon, 23 May 2011 19:43:57 +0200 From: Matthias Andree User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Mnenhy/0.8.3 Thunderbird/3.1.10 MIME-Version: 1.0 To: freebsd-ports@freebsd.org References: <4DD9CC82.3020609@aldan.algebra.com> <4DDA3A0E.4070209@FreeBSD.org> <4DDA6B75.4020409@aldan.algebra.com> <4DDA7C11.6020907@FreeBSD.org> <4DDA7E4A.4000306@aldan.algebra.com> In-Reply-To: <4DDA7E4A.4000306@aldan.algebra.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: ports/155759 - bad reasons for ports removal -- again X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 May 2011 17:43:58 -0000 Am 23.05.2011 17:33, schrieb Mikhail T.: > On 23.05.2011 11:24, Matthias Andree wrote: >> discontinued more than ten years ago, but in the case of Berkeley DB >> 2.7.7, superseded as well. > > These -- being "too old" (BSD's hack is much older, BTW) or "superseded" > -- aren't valid reasons in my opinion. As long as a package keeps > building -- and there were no problems with it, when db2 was removed -- > it should not be deleted. Ever. Even the maintainer (who does "know > best", how to maintain it) can't remove it -- only disown it. Mikhail, The FreeBSD ports collection isn't a museum of decrepit and superseded ports. Use its CVS history for that purpose. "Superseded" is a very valid reason - it brings in bug fixes that weren't backported, which is particularly true for Berkeley DB. Keeping a port around because it "keeps building", but has no users doesn't serve any purpose, and is no statement of quality, on the contrary. And "there were no problems" doesn't prove the absense, it only proves that the single neowebscript user hasn't seen any for his particular use case. With no users left, it's easy to argue "no problems with it" -- because no-one is left to search for or find them. I've fixed a remote root exploit in an earlier fetchmail version, and that I found through a code audit. Still, "there were no problems with it". Oops, y0u'Re pwn3d? No thanks. Let's stick to the library versions that are in everyday use. I am not saying that Berkeley DB 2.7 were insecure or vulnerable, but I am saying that nobody is looking, because newer versions are available. Correctness is more than "it appears to install". We haven't talked about proper operation in the face of accidents (major fixes in db41 through page checksumming and db44 through enhanced crash detection), random or malicious input, and I have yet to see where you've audited the ChangeLog of BerkeleyDB 3.0 to 5.1 for non-backported fixes that might affect your application. Besides that, we're only having the discussion because Oracle keeps the old unfixed distfiles around. Given you haven't addressed either technical reason, neither in April, nor now, but only stated your (valid) opinion: Can you now please stop bike shedding? Thank you. Best regards, Matthias