ports/155759 - bad reasons for ports removal -- again
mandree at FreeBSD.org
Mon May 23 17:43:58 UTC 2011
Am 23.05.2011 17:33, schrieb Mikhail T.:
> On 23.05.2011 11:24, Matthias Andree wrote:
>> discontinued more than ten years ago, but in the case of Berkeley DB
>> 2.7.7, superseded as well.
> These -- being "too old" (BSD's hack is much older, BTW) or "superseded"
> -- aren't valid reasons in my opinion. As long as a package keeps
> building -- and there were no problems with it, when db2 was removed --
> it should not be deleted. Ever. Even the maintainer (who does "know
> best", how to maintain it) can't remove it -- only disown it.
The FreeBSD ports collection isn't a museum of decrepit and superseded
ports. Use its CVS history for that purpose.
"Superseded" is a very valid reason - it brings in bug fixes that
weren't backported, which is particularly true for Berkeley DB.
Keeping a port around because it "keeps building", but has no users
doesn't serve any purpose, and is no statement of quality, on the
contrary. And "there were no problems" doesn't prove the absense, it
only proves that the single neowebscript user hasn't seen any for his
particular use case. With no users left, it's easy to argue "no
problems with it" -- because no-one is left to search for or find them.
I've fixed a remote root exploit in an earlier fetchmail version, and
that I found through a code audit. Still, "there were no problems with
it". Oops, y0u'Re pwn3d? No thanks. Let's stick to the library
versions that are in everyday use. I am not saying that Berkeley DB 2.7
were insecure or vulnerable, but I am saying that nobody is looking,
because newer versions are available.
Correctness is more than "it appears to install".
We haven't talked about proper operation in the face of accidents (major
fixes in db41 through page checksumming and db44 through enhanced crash
detection), random or malicious input, and I have yet to see where
you've audited the ChangeLog of BerkeleyDB 3.0 to 5.1 for non-backported
fixes that might affect your application.
Besides that, we're only having the discussion because Oracle keeps the
old unfixed distfiles around.
Given you haven't addressed either technical reason, neither in April,
nor now, but only stated your (valid) opinion:
Can you now please stop bike shedding?
More information about the freebsd-ports