Unmaintained Repository Was: Spoke too early

James Westby jw+debian at jameswestby.net
Sun Apr 26 20:48:36 UTC 2009

On Sun, 2009-04-26 at 11:58 -0400, Martin Owens wrote:
> More usefully would be to assess the bit-rot, number of bugs, any
> critical or security issues which makes it dangerous. [...]
> baring any security issues I see no reason why it should be removed.
> (although I'm sure these things are assesed in due process)

You are correct, these things are usually assesed.

However, while a package may not have any known security issues now,
there's nothing to say that it doesn't have some unknown ones, and 
if there is no upstream then it reduces the chances that they
will be found and dealt with.

Usually more pressing is the question of who cares for the package. 
There is a cost to keeping the packages around, and while it is usually
small, it is not negligible. If we keep the package in the repositories
then it would be reasonable for users of the package to assume that they
could get some level of support for the package.

> The other option is to move these things to an "unmaintained" repository
> where users can have the initiative to install things they want but also
> be made aware of it's unmaintained nature (perhaps even encouraging
> developers to maintain it). At least then people wouldn't have to go
> digging around for PPAs.

This isn't necessarily a bad idea, however I don't think I would like to
see it.

Firstly, there is the question of bugs, as it would still be possible to
file bugs against these packages in Ubuntu, without any clue given 
to the user that they are using an unsupported package. This would
reflect badly on the distribution.

Secondly, there is the question of user awareness of what they are 
doing. Simply enabling the repository to install something would then
lead to it not being clear which packages you install later are 
unmaintained. It would be possible to teach the packaging tools about
this, but it would be a significant investment I fear (though one that
may be useful for making third party repositories more palatable).

I would think that PPAs would be better in some respects, as while
we would have less control over the contents, the fact that they are
more targeted is a benefit here.

It would be quite easy to write a script that grabbed each removed
package and uploaded it to a PPA, however it's not necessarily going
to build, if it does it may not work correctly any more, and further
it may be being removed for a very good reason (being terminally 
vulnerable to remote exploits for instance).



More information about the Ubuntu-devel-discuss mailing list