Re: [GNU-linux-libre] DSFG in perpetuity

[Julie Marchant]

On 2018年03月24日 20:47, Jason Self wrote:
> My recollection of why they were put back is that the notion of if a
> distro was actively maintained or not was supposed to be based on how
> the maintainers of the distro classified it and not on some
> externally-measurable thing like when the last release was, how
> current the program versions are, or whatever. This allows, for
> example, for distros that are slow-moving because of a lack of people
> power to not find themselves kicked off the list because of a
> popularity contest. And that's exactly what it would become: "I'm
> sorry, but there are more people helping with Distro X and not Distro
> Y so Distro Y hasn't been making much progress and hasn't had a
> release in a while so you're gone." It's not supposed to be a
> popularity contest and, if anything, slower-moving distros that have
> less people power probably need more help than the more active &
> popular ones do rather than condemnation and a push to remove them.

I sent an email to this list not too long ago suggesting a set of rules
for determining if a distro is considered to be current or not. Let's see...

Ah, here it is:

http://lists.nongnu.org/archive/html/gnu-linux-libre/2018-01/msg00011.html

I suggested the following rules:

1. The distro's maintainers should annually do one of the following: (a)
publish a new release; (b) publish a post summarizing work done on the
distro in the prior year which directly impacts the distros users (for
example, such a post could note important packages which have been
updated in the current release and what these updates mean to the
users); (c) write to the FSF to explain why no updates have been
necessary in the respective year (and, in particular, why the security
and hardware compatibility implications of this are unimportant).

2. The distro should ensure one of the following: (a) that all known
security vulnerabilities are fixed for users of the current release of
the distro in a reasonable timeframe; (b) that new, non-technical users
of the distro can see that it has or may have security vulnerabilities,
e.g. via a warning on the distro's website that security updates are not
always delivered.

3. The distro should either: (a) be reasonably expected to be compatible
with computers that can currently be bought from mainstream retailers;
(b) indicate on its website what hardware it is compatible with.

I came up with this set of rules to address specific potential concerns:

* Concerns that the FSF may be recommending distros that are useless due
to use of very old software.
* Concerns that the FSF may be recommending distros that are unsafe to use.
* Concerns that the FSF may be recommending distros that don't work on
modern hardware, due to reliance on a very old version of Linux.
* Concerns that addressing these other concerns would cause distros that
don't need frequent updates to be unfairly affected.

I understand the idea that shafting unpopular distros is undesirable,
but the FSF's list is supposed to serve a particular purpose: to suggest
distros for users to use. If a suggestion is for a distro that is
vulnerable and never updated (e.g. BLAG), a user goes with that
suggestion, and that user gets their credit card information stolen
because of some really old vulnerability, who do you think they're going
to blame? BLAG, possibly, but also the FSF for recommending it in the
first place.

-- 
Julie Marchant
https://onpon4.github.io

signature.asc
Description: OpenPGP digital signature