From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id qK5/AbUCWmBTZgAA0tVLHw (envelope-from ) for ; Tue, 23 Mar 2021 15:01:09 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id iO3TOLQCWmAgWQAAbx9fmQ (envelope-from ) for ; Tue, 23 Mar 2021 15:01:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 72EAA25F5B for ; Tue, 23 Mar 2021 16:01:08 +0100 (CET) Received: from localhost ([::1]:50408 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOiWp-0005FD-EU for larch@yhetil.org; Tue, 23 Mar 2021 11:01:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54826) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOiWa-0005DR-8A for guix-devel@gnu.org; Tue, 23 Mar 2021 11:00:52 -0400 Received: from mail.zaclys.net ([178.33.93.72]:51741) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOiWY-000085-4v for guix-devel@gnu.org; Tue, 23 Mar 2021 11:00:51 -0400 Received: from guix-xps.local (lsl43-1_migr-78-195-19-20.fbx.proxad.net [78.195.19.20] (may be forged)) (authenticated bits=0) by mail.zaclys.net (8.14.7/8.14.7) with ESMTP id 12NF0lg8037158 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 23 Mar 2021 16:00:47 +0100 DMARC-Filter: OpenDMARC Filter v1.3.2 mail.zaclys.net 12NF0lg8037158 Authentication-Results: mail.zaclys.net; spf=fail smtp.mailfrom=lle-bout@zaclys.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zaclys.net; s=default; t=1616511647; bh=0dZRhiYDrgQ5j0KsWQHFn+uOf9F+0csYcQwYCZSKL5A=; h=Subject:From:To:Date:From; b=OiTc4PPHvz8lwTxNAy5Exn9Bi98fomoDiyGwD5XlcF77HCwDB+GZBp3ohZMMx24uS lgwhyaRS4to2Evtc1l9m1QDMF5OxxPLexnYH7fT4BqtiSQYH7qdVWczeapU2Pw2f8u Apzhf+T10Bw3USh563foY1nE8vFpwW/Q+ZtPrExI= Message-ID: <1b2c22892d9cde9b86ff96cc70cb89ad17fba807.camel@zaclys.net> Subject: A proposal for better quality in maintenance of packages by reducing scope From: =?ISO-8859-1?Q?L=E9o?= Le Bouter To: guix-devel@gnu.org Date: Tue, 23 Mar 2021 16:00:42 +0100 Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-xp1WeXMrvGJbB7apfLH1" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 Received-SPF: pass client-ip=178.33.93.72; envelope-from=lle-bout@zaclys.net; helo=mail.zaclys.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616511668; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=0dZRhiYDrgQ5j0KsWQHFn+uOf9F+0csYcQwYCZSKL5A=; b=heVZLz0U25lQ8upJlGj942YyAwlr+emB1okI5k/I4YfX0NLAIBKMkzYqaVhdYNxwajA+fi oL3qcAIzX7HbiJDQN0CQUuYAhrZ5LbLfJFMFOsJirVA4UJctQC5LNkUDq03WBQ75iBqYwI 7JszkAyOlBPWsO7OCGzE/ofB8LAknOzunTzwl0gi7fSWFiXs05qDS/OkcMYimQBn58/pGh 79NPboD6KnCkgLiRHhFBhWD4Cpc2hC/PIwLKY8haBBjL80quQT7t+rYsjTWYyReBphCFku HhHz/3IDC65FRmftgyFrmqeCZ6fDqajFrelLnATGgek5NjEXP6PBy4jf1BNnWw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616511668; a=rsa-sha256; cv=none; b=DsCapd2wqUtDeLgRbjJzaDKo3xWEmGejOip7jtPT2FnZQbUoWszLf7EIDzhOk15esn88JK ALQ8gQ8Hyi1FGPqpkUULZjk/hQ+oplJRFbqpK176QZ986jwZ7CvUHcYpJdJ+7ybLvHJ6c6 t9Mo94Zb3Ez5cMl1Zfn18zuodzpqD0GMZ1zheuikYbQmytbnvO7qSm7HukRQIBpj0ccRcI 8zOo3D+nMG74b7xx3Y7UEhmmDHb/aErjP0G7olTKKFUMHFP2F5itBaL3AJaGRYWtdOj0Rt cJeMk/kqAutRMtVAv7WLkAs8fNhu5K785+fYfOm6cdi+rkgpInR88dVC4ZN99Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=OiTc4PPH; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -5.78 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=zaclys.net header.s=default header.b=OiTc4PPH; dmarc=pass (policy=reject) header.from=zaclys.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 72EAA25F5B X-Spam-Score: -5.78 X-Migadu-Scanner: scn0.migadu.com X-TUID: jRWvkqVLXJAf --=-xp1WeXMrvGJbB7apfLH1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello! There's lots of packages in GNU Guix and maintaining all of them is tedious, even if we have tooling, there's only so much we can do. I want to have a secure and reliable system, I would also like to only depend on packages I know are easy to maintain for GNU Guix contributors. I would like to propose that we reduce the scope of the maintenance we do in GNU Guix and establish a list of packages that we more or less commit to maintaining because this is something that we can do and is attainable, for example, we could remove desktop environments that we can't maintain to good standards realistically and focus our efforts on upstreams that don't go against our way of doing things, that are cooperative, that provide good build systems we can rely on for our purposes, etc. I propose we also add some requirements before packages can go into such a maintained state, like a working and reliable updater/refresher with notifications directed to some mailing list when that one finds a new release, a reduced amount of downstream patches and a cooperative upstream with who we preferably have some point of contact to solve issues or gather more insider knowledge about the software if we need, a working and reliable CVE linter with proper cpe-name/vendor and notifications going to a mailing list we all subscribe to, etc.. probably lots of other things are relevant but you see the idea. It should also be possible to filter out packages that are not declared to be in this maintained state, for example, in the GNU Guix System configuration. Some kind of quality rating for packages that users can trust. What do you think? L=C3=A9o --=-xp1WeXMrvGJbB7apfLH1 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEFIvLi9gL+xax3g6RRaix6GvNEKYFAmBaApoACgkQRaix6GvN EKazWQ/9ESsCRC6XIpuk3dHMlsyXBHgnM2i1qHH3CxcxbgYyL7bP6Pp6DcEPRvFP WwMTvGjb7O/eUZFjJDAyYS5MGXZBU6RhfSsR+BjHgmpmEwlCVJMM6LXzzHKXztRR fHh2LLZs5DHOg2K3MuLZlsal+qxQmde+fmbeHCbUj5uuYEKYeIP7kHBjnJhxCvkZ 8BAWVcXfrX8j2LsBDsxhbvSY+7lPe0EQBgJcdnTLuLhLlYTtF6q8y8En/WBJqrN8 BJRZHHNtjHQSfli/5UBDeHJlhWuadCAmEN3pdsmgksJ7sKI2z/cGfKpkqrdIjjKw KcBMzCm3cVLOvmb+TGf9e0GAlBbAa8U01sW0upL22w0LfsdY6EFO0nrWSeGVU5+F 84iZbr14qZpK3uW2nPbclKIWsCFVPZYyICtg4co4JSWdZVEokuSbWQ/CsR/5bc/E kWBvw19IEzaydnImvpz1Ko7UpmngbTAcuVFcCM7pqwBEoltr4u7N7EUskOjhgrcj oH4+VQxvqf5rNssEX8qfgQpgpVnPxBElMytkopzEwzilm6ZaMfzd1L3wFX1SL22h wyK/NIuW9avhixtUx4O3RDRc0om9BKPwLQsubP+jmLFLoFpDZW0Pghd7h23WqAzp Gk73+W+LW9A9IWLXPsmctPwZoqjHDQHIW/V5usm8q0DN5oLFvPQ= =5vcQ -----END PGP SIGNATURE----- --=-xp1WeXMrvGJbB7apfLH1--