Léo Le Bouter writes: > There's lots of packages in GNU Guix and maintaining all of them is > tedious, even if we have tooling, there's only so much we can do. > > I want to have a secure and reliable system, I would also like to only > depend on packages I know are easy to maintain for GNU Guix > contributors. > > I would like to propose that we reduce the scope of the maintenance we > do in GNU Guix and establish a list of packages that we more or less > commit to maintaining because this is something that we can do and is > attainable, for example, we could remove desktop environments that we > can't maintain to good standards realistically and focus our efforts on > upstreams that don't go against our way of doing things, that are > cooperative, that provide good build systems we can rely on for our > purposes, etc. > > I propose we also add some requirements before packages can go into > such a maintained state, like a working and reliable updater/refresher > with notifications directed to some mailing list when that one finds a > new release, a reduced amount of downstream patches and a cooperative > upstream with who we preferably have some point of contact to solve > issues or gather more insider knowledge about the software if we need, > a working and reliable CVE linter with proper cpe-name/vendor and > notifications going to a mailing list we all subscribe to, etc.. > probably lots of other things are relevant but you see the idea. > > It should also be possible to filter out packages that are not declared > to be in this maintained state, for example, in the GNU Guix System > configuration. > > Some kind of quality rating for packages that users can trust. > > What do you think? This might be beneficial once there are obvious different groups of packages, probably falling in to a hierarchy (even just a two level one). But I don't think that point has been reached yet, so this sounds like more work for not much benefit.