[Mageia-dev] Package drop request: ruby-ParseTree

Tue Dec 11 00:41:38 CET 2012

'Twas brillig, and Remy CLOUARD at 10/12/12 22:42 did gyre and gimble:
+> At first I didn’t even know task-obsolete existed in the first place so
+> I just followed the procedure Johnny explained. After understanding this
+> mechanism I don’t feel it was the right thing to do in this case.
+> 
+> First, because it’s a small ruby library that’s probably used by only a
+> handful of people. Second, this library is removed because it’s eol’d
+> upstream, but also because no other package use it. It seems to me that
+> it can safely be removed from the mirrors, but removing it from boxes
+> via task-obsolete seems a bit overkill to me, because that package would
+> have been orphaned because nothing requires it (unless someone
+> deliberately installed it, which I doubt)
+> 
+> I’m not yet sure about this but the way I see task-obsolete is that it
+> should only be used for end-applications, and even then I’m not
+> comfortable with silently removing things from people’s machines, I’d
+> rather use Conflicts instead.
+
+So what if we provide this library and someone uses it as a component in
+some other app they write.
+
+They likely have an expectation that it will continue to be supported
+and that any security vulnerabilities in it are detected and fixed.
+
+If we don't have a mechanism to remove (or at least very strongly
+recommend to remove) package we no longer support, then we are leaving
+users vulnerable.
+
+The orphans system is fine, but it's certainly not as strong a mechanism
+as I think is needed.
+
+Col
+
+-- 
+
+Colin Guthrie
+colin(at)mageia.org
+http://colin.guthr.ie/
+
+Day Job:
+  Tribalogic Limited http://www.tribalogic.net/
+Open Source:
+  Mageia Contributor http://www.mageia.org/
+  PulseAudio Hacker http://www.pulseaudio.org/
+  Trac Hacker http://trac.edgewall.org/
+