From owner-freebsd-ports@freebsd.org Fri Sep 30 23:59:34 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CBBEFC0476C for ; Fri, 30 Sep 2016 23:59:34 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from vps.rulingia.com (vps.rulingia.com [103.243.244.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "rulingia.com", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5DE4129F for ; Fri, 30 Sep 2016 23:59:33 +0000 (UTC) (envelope-from peter@rulingia.com) Received: from server.rulingia.com (ppp59-167-167-3.static.internode.on.net [59.167.167.3]) by vps.rulingia.com (8.15.2/8.15.2) with ESMTPS id u8UNxILA003817 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Sat, 1 Oct 2016 09:59:24 +1000 (AEST) (envelope-from peter@rulingia.com) X-Bogosity: Ham, spamicity=0.000000 Received: from server.rulingia.com (localhost.rulingia.com [127.0.0.1]) by server.rulingia.com (8.15.2/8.15.2) with ESMTPS id u8UNxAxX085035 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 1 Oct 2016 09:59:10 +1000 (AEST) (envelope-from peter@server.rulingia.com) Received: (from peter@localhost) by server.rulingia.com (8.15.2/8.15.2/Submit) id u8UNx90I085034 for freebsd-ports@freebsd.org; Sat, 1 Oct 2016 09:59:09 +1000 (AEST) (envelope-from peter) Date: Sat, 1 Oct 2016 09:59:09 +1000 From: Peter Jeremy To: FreeBSD Ports ML Subject: Re: Google Code as an upstream is gone Message-ID: <20160930235909.GA84903@server.rulingia.com> References: <2047d7fd-1849-6008-5be1-5fb3d1aa0661@FreeBSD.org> <3e59578a-8556-111a-f3d4-0e641a50043e@FreeBSD.org> <20160929165700.GA33046@lorvorc.mips.inka.de> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3MwIy2ne0vdjdPXF" Content-Disposition: inline In-Reply-To: X-PGP-Key: http://www.rulingia.com/keys/peter.pgp User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2016 23:59:34 -0000 --3MwIy2ne0vdjdPXF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2016-Sep-29 16:33:12 -0700, Kevin Oberman wrote: >On Thu, Sep 29, 2016 at 9:57 AM, Christian Weisgerber >wrote: > >> Mathieu Arnold: >> >> > If the software has not been moved to some other place, (it takes about >> > 30 seconds to click the automatic migration to github thing, and it is >> > usually done within the hour,) since march 2015, it is most likely >> > abandoned and should not be kept in the ports tree. That seems a very reasonable policy. Unmaintained software is a danger to the Internet community as a whole and if, after 18 months, a "maintainer" hasn't bothered to take action to move the software to somewhere where it can be supported then it rates as "unmaintained". >> In the past, if the upstream was gone and the maintainer judged the >> software still useful (at their discretion, not based on a cut-off >> date), they would even fall back to providing the distfile at >> people.freebsd.org. The maintainer is still free to do so. "Maintainership" includes responding to changes within a reasonable period (hence "maintainer timeout"). >This was simply a terrible idea and I would hope that the ports team would >clearly so state and back out the "BROKEN" from those ports. As others are >pointing out, lot of very old and stable code has gone over a year without >updating. I think globally marking all ports that fetch from code.google.com as BROKEN is an excellent idea. There's a massive difference between "old and stable" and "unmaintained". The latter means that no-one cares if the code has security vulnerabilities. Just because code is "old and stable" doesn't mean the code is completely bug-free and a reasonable maintainer would take steps to ensure that the code could be updated if needed. >One case of import to me was mp4v2, a library for making MP4v2 formatted =2E.. >source library for version 2 of the MP4 spec. Yet, because it had Google >Code as it's repo and had not been updated in just over a year, BROKEN. The last commit to mp4v2 in code.google.com was 2015-Jan-06 - nearly 21 months ago. >(That has now been fixed sue to several people yelling loudly about its >import. That is an issue you should take up with the port's maintainer. >I am sure that ports contains many old, buggy, insecure ports that should >go away, but a standard of "over year without a commit" should not be a >metric for determining what goes away. IMO, "over 18 months without a commit and not able to be updated if require= d" seems a quite reasonable metric for deeming code "abandonware". --=20 Peter Jeremy --3MwIy2ne0vdjdPXF Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJX7vxMXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRFRUIyOTg2QzMwNjcxRTc0RTY1QzIyN0Ux NkE1OTdBMEU0QTIwQjM0AAoJEBall6Dkogs0s80P/2M3N0+7QLSok24eSs75fhj3 GHD59yGZSJoFO8EUvQmK8EeZuXRE1W0Xx8ExSC+L0aFzb1zYrB5oPoM3jMc5qXAW 6HQcDATuy1zYLi8AcSQsXWErLb+F9xEEjVxzK3ge4WEweFG40KhOVOInD3otXrtz UPUBJ0Cc3ktRfZ9XCdAHOJblhhm+rk5ssrzHYV8WE3miZGA4eZGIEjdN5T0iDtdC tkp/CABRlPJb13FOUm1y0TAOnLknD5qJG58tJpA27W87cR2umZ9OfwZFA4yilzww cD1H0iY70RS9pLoLNmqiRXrKwheuw7ZEY0c0rqYm7CD6uQUMnuAXsN8AZcVvtHnm Ur48zpdLXT5F29+g2nEgecMCTxA7Eph6rPFYIWGjHxTBx+/gOqCXtLP7Epzrg4cE kaj8244aa9xNbK3oKuKehdbZtNfvbDxeea47cmV9IDNt4LY3kzvWvmLJOppA5I51 2cRVFSZs3AH3jQw6k8TEhRSXo8PC1igBq7LtChFdlPY4RkHvGxfk/WJk56L/wiKd 5J6zPa1ekfmCb4nx8DaS+yFt7eGB3gH9JA7yecJu8jobfemSWVJLjooE5iEAstZ6 aCZ1cJLmzHiRxOvAwLz2SN3UqMJzUz3DGLkKSigc7IAGDY+T7rO3WiLA7KVQiwYE G7fWvKNjAr1+91xp4lJR =okFa -----END PGP SIGNATURE----- --3MwIy2ne0vdjdPXF--