[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question on the process of packge withdrawal
|
From: |
Andreas Enge |
|
Subject: |
Re: Question on the process of packge withdrawal |
|
Date: |
Tue, 28 Feb 2023 15:57:33 +0100 |
Hello,
Am Sun, Feb 26, 2023 at 08:11:52PM +0000 schrieb Sharlatan Hellseher:
> If we check
>
> <https://git.savannah.gnu.org/cgit/guix.git/commit/?h=core-updates&id=409ce1d939bc3b100e5965d2b4e17cb1f93bcac7>
> commit removing jrnl variable which has it's source pointing to
> <https://github.com/maebert/jrnl> which is an old fork of original
> active project <https://github.com/jrnl-org/jrnl>.
the reason is in the commit message:
The last release of the package dates from 2019.
It depends on the cryptography library python-pycrypto, which has had
its last release in 2013 and "is unmaintained, obsolete, and contains
security vulnerabilities" according to its homepage.
The github repository says
This branch is 811 commits ahead, 1580 commits behind jrnl-org:develop
Difficult to know what is the good version... (We were two to think the
projet was dead upstream.)
I am happy to put it back in (the cryto apparently comes from
python-cryptography now). However, the previous version 1.9.7 was from 2014,
there was a version 2.0 in 2019, and the current version is 3.3.
Is there sufficient compatibility to "upgrade" (by reverting the removal
commit and updating as usual)? Or should it be treated like a new package?
Have you used the 1.9.7 package recently? Has anybody used it recently?
Otherwise I would be enclined to leave it out until someone wishes to put
it in again as a "new" package. Updating packages that noone is interested
in is an unnecessary drag on volunteers' time.
Concerning the process, I think we should have one :)
It would be nice to document the process in the manual.
This should differentiate between the different reasons for removal:
security problems, not building, etc.
Andreas