Date: Sat, 16 Mar 2024 09:28:23 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> To: ports@freebsd.org Subject: Re: Proposed ports deprecation and removal policy Message-ID: <514c12bf-0605-4d83-96e6-132507ce470d@quip.cz> In-Reply-To: <2a868d2a-649e-4b76-870d-2cd8cfeb4f7d@app.fastmail.com> References: <7a7501f71442d27f6d8c1c0a16f247c1@mail.infomaniak.com> <EF5FD6F9-D6EA-45F6-8845-B0476D401EBB@freebsd.org> <7fd610fa25ffb9a4348aaadf7459a689@mail.infomaniak.com> <20240315072753.46ffa39e1bbb2e0996099cdf@dec.sakura.ne.jp> <2cfb2038d956813eefb068a8f61e1970@mail.infomaniak.com> <2a868d2a-649e-4b76-870d-2cd8cfeb4f7d@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 16/03/2024 02:48, void wrote: > On Thu, 14 Mar 2024, at 22:59, Daniel Engberg wrote: > >> Since we've moved to git perhaps another option might be to create a separate >> repo (possibly via submodules) with less restricive polices and have >> that as an "add-on" for the official tree without the ports team's and >> committers's involvement, a bit like "you're on your own" approach? > > 100% agree with this. Stuff with an active maintainer: keep in the official tree. > Stuff without, or stuff that depends on stuff without - into the > 'unsupported' tree. Some distros (notably Debian) do this. It's 2024 > not 1994 and most computers are connected to the internet either directly or indirectly. I'd argue there is no place in the official tree for > poorly/non-maintained ports. > > I imagine having such a system would markedly decrease the maintenance burden of those responsible for the port infrastructure. > > As a user of ports (a dev only in the sense of reporting issues if one can be a dev in that sense) i feel it would be better to *not have a port at all in the official tree* than to have one which is not maintained and possibly or probably > vulnerable. Remember that not all vulns make it into the vulxml. Having different trees would help new and older users alike to trust ports, and would add > to transparency of freebsd generally. > > just my $0.02 Maintained ports are vulnerable as well, and sometimes somebody else has to submit a patch for an updated version to fix the vulnerability. (I personally have this experience) For vulnerabilities, there is VuXML and pkg audit, not removing vulnerable port from the tree. If you are asking to remove ports without maintainer, you are asking to remove 3458 ports right now, and many others depends on these unmaintained ports, so the impact will be much bigger. Some unmaintained ports are almost vital - for example without virtual_oss you cannot use Bluetooth headphones / speakers connected to FreeBSD. Therefore writing "one size fits all" rules for 32k+ ports is not that easy. There are too many personal views to this simple problem. Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?514c12bf-0605-4d83-96e6-132507ce470d>