From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id EJtvDX4W/mPHoQAAbAwnHQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 28 Feb 2023 15:58:06 +0100
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id eFpwDX4W/mNp0gAAauVa8A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 28 Feb 2023 15:58:06 +0100
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id EB4869AD7
	for <larch@yhetil.org>; Tue, 28 Feb 2023 15:58:05 +0100 (CET)
Authentication-Results: aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1677596286;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post; bh=rbGgqQUVmV6V+jJXZ+LvRc5l0s7GgBw1+C1+Wi8EdJk=;
	b=RhF3621rBl7zEZ8n6ZFdN4JqDkgh4r9Iz6uPPIkAR0EVvGEf7hUT5xvHn69/tmeHBd0O/e
	ZcwULojF+5VZpidYpI4YA8tJ8L3AJxp6w3r0Ujv/cgdrLbsUZhTo7XxOR9dMdNPczWpVn4
	3gHookNXqT0rTp1dYzxH8CNHXEJdmEuCOoVWKzTyDKG/1+8BJoGr0Va/O56HwZHHeTBdgz
	X9Zgry5iV6kJO+zjSMjM+PoSQAKEP+BzDmQMoGGuXO296HDStAJcUiYXnSjJ5jwkw55rAb
	fYfgBSUZ7/leEoRf7SYAQ+Ql8kLHgHk9WCyyXFhpLkYpnJmiNV3jZOcyAEzmSw==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org";
	dmarc=none
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677596286; a=rsa-sha256; cv=none;
	b=sgKy5753JB5WIAQhr5PXGuCs5QnzR5lVgw+MyzDcqJkLQ7xJuuZzy9kj8E+OfNFJ85dVgK
	aF7yu9vAsVrOEs/jZwA2qbOIAsUGoe9ryUyLasgKpFPwEF83DlSaFruFZjXkSjEriEH9zw
	7Zmy1c+i0pdAmcFCIbIzlMnu908Z55CExHUIAPZZx1h5IDHNCTz++Jx0Ni0kQBRz6txhQS
	TvBa28aOm9hAiIqC7QKtse+b1hxuo3x0ZbsuIZx//0tbxCGG5Hzjnbi6a40zU5RghD8X0c
	1WC1ucXdkkkQX8FYuPtJwTaozRW63wCkUIVm8CXObtIBOTHrLcvfySEdtem5ZQ==
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces@gnu.org>)
	id 1pX1QF-0007Mj-FX; Tue, 28 Feb 2023 09:57:43 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <andreas@enge.fr>) id 1pX1QD-0007MM-Js
 for guix-devel@gnu.org; Tue, 28 Feb 2023 09:57:41 -0500
Received: from hera.aquilenet.fr ([2a0c:e300::1])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <andreas@enge.fr>) id 1pX1QB-0002bp-NP
 for guix-devel@gnu.org; Tue, 28 Feb 2023 09:57:41 -0500
Received: from localhost (localhost [127.0.0.1])
 by hera.aquilenet.fr (Postfix) with ESMTP id 4E17F298;
 Tue, 28 Feb 2023 15:57:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at hera.aquilenet.fr
Received: from hera.aquilenet.fr ([127.0.0.1])
 by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Tkp5jpJt5LmE; Tue, 28 Feb 2023 15:57:34 +0100 (CET)
Received: from jurong (unknown [147.94.72.48])
 by hera.aquilenet.fr (Postfix) with ESMTPSA id 9B9B134;
 Tue, 28 Feb 2023 15:57:34 +0100 (CET)
Date: Tue, 28 Feb 2023 15:57:33 +0100
From: Andreas Enge <andreas@enge.fr>
To: Sharlatan Hellseher <sharlatanus@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: Question on the process of packge withdrawal
Message-ID: <Y/4WXXPTBWndYk4Q@jurong>
References: <CAO+9K5pgp=ZKBTjtU=hYNZExYWC0TQP9GLEqwNXRQ_tJ3KY0Tg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAO+9K5pgp=ZKBTjtU=hYNZExYWC0TQP9GLEqwNXRQ_tJ3KY0Tg@mail.gmail.com>
Received-SPF: pass client-ip=2a0c:e300::1; envelope-from=andreas@enge.fr;
 helo=hera.aquilenet.fr
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
X-Migadu-Spam-Score: -3.49
X-Spam-Score: -3.49
X-Migadu-Scanner: scn0.migadu.com
X-Migadu-Queue-Id: EB4869AD7
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: guix-devel-bounces+larch=yhetil.org@gnu.org
X-Migadu-Country: US
X-Migadu-Flow: FLOW_IN
X-TUID: ixxbTsuZ6hj1

Hello,

Am Sun, Feb 26, 2023 at 08:11:52PM +0000 schrieb Sharlatan Hellseher:
>   If we check
>   <https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=409ce1d939bc3b100e5965d2b4e17cb1f93bcac7>
>   commit removing jrnl variable which has it's source pointing to
>   <https://github.com/maebert/jrnl> which is an old fork of original
>   active project <https://github.com/jrnl-org/jrnl>.

the reason is in the commit message:
    The last release of the package dates from 2019.
    It depends on the cryptography library python-pycrypto, which has had
    its last release in 2013 and "is unmaintained, obsolete, and contains
    security vulnerabilities" according to its homepage.

The github repository says
   This branch is 811 commits ahead, 1580 commits behind jrnl-org:develop
Difficult to know what is the good version... (We were two to think the
projet was dead upstream.)

I am happy to put it back in (the cryto apparently comes from
python-cryptography now). However, the previous version 1.9.7 was from 2014,
there was a version 2.0 in 2019, and the current version is 3.3.
Is there sufficient compatibility to "upgrade" (by reverting the removal
commit and updating as usual)? Or should it be treated like a new package?
Have you used the 1.9.7 package recently? Has anybody used it recently?
Otherwise I would be enclined to leave it out until someone wishes to put
it in again as a "new" package. Updating packages that noone is interested
in is an unnecessary drag on volunteers' time.


Concerning the process, I think we should have one :)
It would be nice to document the process in the manual.
This should differentiate between the different reasons for removal:
security problems, not building, etc.

Andreas