Re: Switching default version of PHP/RUBY and retirement...

[Greg Troxel <gdt%lexort.com@localhost>]

Takahiro Kambe <taca%back-street.net@localhost> writes:

>> While I see the point of cleaning up cruft, it doesn't feel like the
>> presence of php56 (to pick one) is causing trouble.  We need to have a
>> "versions accepted" mechanism no matter what, and packages that only
>> take 5.6 are coded that way, and I don't see that this is causing anyone
>> to have to do any ongoing work.  Am i misperceiving?
> There are two poionts:
>
> 1. PHP 5.6 is old and security problems are left on pkgsrc.
> 2. Many packages only accept php56 are not well maintained on pkgsrc
>    and there are security problems here, too.
>
> So, I wish update those unmaintained packages but I do not have enough
> time.  :-(

Sure, nobody has enough time!  But I don't see that as a justification
to remove things that people are using.

I don't think we should remove things because of security advisories.
It's up to users to decide that to run.   Two big points:
  - if we removed all packges with advisories, we'd have very little
    left
  - we have a mechanism to record security problems.  People can use it,
    and removing packages because of that is working against the
    principle of "let people choose but give them data".
  - we don't have any kind of "we should remove packages if there is an
    advisory against them" norm, at all.

Certainly there may be some packages that are unmaintained upstream and
that are so crufty that it is a reasonable belief that there are zero
users.  But it doesn't make sense to think the every php56-only package
is in this category.