saving a few ports from death

Wed Apr 27 21:37:57 UTC 2011

On Wed 27 Apr 2011 at 14:05:57 PDT Eitan Adler wrote:
>>> apache13 is EOL upstream. We should not have ports for EOL software.
>>
>> Why not, exactly?..
>
>What happens if a security hole or a bug is found? Are we the ones to
>fix it? 

No.  The rule of caveat emptor should apply.  We don't warranty anything
else in the portstree, why would you think that there's an implied
warranty in this scenario?

>If yes are we to host the patches? 

The question is moot, given a negative answer to the preceding one.

>Where should the bug reports go to - our bug tracker? 

If they do get submitted there, they should be immediately closed as
"Won't Fix". 

>What if our implementation ceases to match established documentation?
>Should we host the docs too?

Same answers as above.

>
>The ports collection is one of *third party* software (with a couple
>of small exceptions). If the third party says "this program is done,
>has bugs which won't be fixed, etc" we should no longer support it.

Keeping it in the tree != obligation to provide support, i.e., bugfixes
for anything except the port Makefile and other port-related files.  As
long as there's a maintainer willing to do the work to keep it running
(warts and all) on the currently-supported FreeBSD releases, I don't see
any reason why it can't be kept in the tree.

>>>
>>> If upstream says it's dead, who are we to keep it alive?
>>
>> We are a major Operating System project, which maintains ports of
>> third-party applications for the convenience of our users. An
>> EOL-declaration by the authors does not mean, the users must stop using it
>> immediately -- it simply says, the authors will not be releasing
>> updates/bug-fixes.
>
>Correct. However (a) if the third party gave an upgrade path we should
>encourage our users to use it and (b) if there *are* known bugs and
>especially security holes we should cease to make it available through
>our tree.

Agree with (a) but maybe not (b).  That's a decision that should be left
to the users.

>
> If a user says "I found an issue with X and it is EOL upstream" the
>correct response is to "upgrade to a supported version".

See above.

>However this discussion is different to the one that we started with
>(namely that of deprecated ports) so lets try and get back on track :-)

Actually, it's a closely related question.