From: Andreas Enge <andreas@enge.fr>
To: Sharlatan Hellseher <sharlatanus@gmail.com>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: Question on the process of packge withdrawal
Date: Tue, 28 Feb 2023 15:57:33 +0100 [thread overview]
Message-ID: <Y/4WXXPTBWndYk4Q@jurong> (raw)
In-Reply-To: <CAO+9K5pgp=ZKBTjtU=hYNZExYWC0TQP9GLEqwNXRQ_tJ3KY0Tg@mail.gmail.com>
Hello,
Am Sun, Feb 26, 2023 at 08:11:52PM +0000 schrieb Sharlatan Hellseher:
> If we check
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=409ce1d939bc3b100e5965d2b4e17cb1f93bcac7>
> commit removing jrnl variable which has it's source pointing to
> <https://github.com/maebert/jrnl> which is an old fork of original
> active project <https://github.com/jrnl-org/jrnl>.
the reason is in the commit message:
The last release of the package dates from 2019.
It depends on the cryptography library python-pycrypto, which has had
its last release in 2013 and "is unmaintained, obsolete, and contains
security vulnerabilities" according to its homepage.
The github repository says
This branch is 811 commits ahead, 1580 commits behind jrnl-org:develop
Difficult to know what is the good version... (We were two to think the
projet was dead upstream.)
I am happy to put it back in (the cryto apparently comes from
python-cryptography now). However, the previous version 1.9.7 was from 2014,
there was a version 2.0 in 2019, and the current version is 3.3.
Is there sufficient compatibility to "upgrade" (by reverting the removal
commit and updating as usual)? Or should it be treated like a new package?
Have you used the 1.9.7 package recently? Has anybody used it recently?
Otherwise I would be enclined to leave it out until someone wishes to put
it in again as a "new" package. Updating packages that noone is interested
in is an unnecessary drag on volunteers' time.
Concerning the process, I think we should have one :)
It would be nice to document the process in the manual.
This should differentiate between the different reasons for removal:
security problems, not building, etc.
Andreas
next prev parent reply other threads:[~2023-02-28 14:58 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-26 20:11 Question on the process of packge withdrawal Sharlatan Hellseher
2023-02-27 17:12 ` Maxim Cournoyer
2023-02-27 19:55 ` Leo Famulari
2023-02-28 10:30 ` Simon Tournier
2023-02-28 16:26 ` bokr
2023-02-28 17:16 ` Simon Tournier
2023-03-01 9:40 ` Bengt Richter
2023-02-28 14:57 ` Andreas Enge [this message]
2023-02-28 17:10 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y/4WXXPTBWndYk4Q@jurong \
--to=andreas@enge.fr \
--cc=guix-devel@gnu.org \
--cc=sharlatanus@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.