On Wed, 2019-09-18 at 23:24 +0200, Kevin Kofler wrote:
And if an otherwise maintained package FTBFS, if it does not
actually
need
any change, I don't see how this is even an issue at all.
FTBFS packages can get CVEs filed against them and then they can be
difficult to fix. There are a few problems:
* The FTBFS package often has no maintainer to notice the CVE in the
first place, which means it is likely to just be vulnerable without
any other packagers noticing.
* If someone does notice the CVE and wants to fix it, they have to
first figure out why the package doesn't build. This is at a minimum
extra work for the maintainer, and in some cases it could be that it
is impossible to fix the FTBFS (for example, if the package requires
an older dependency than is in the distribution that was removed or
upgraded years ago).
* If it is impossible to fix the FTBFS and there is a CVE, we also
cannot remove the vulnerable package from stable releases.
The current policy does curtail that last problem (but does not
eliminate it entirely) by removing some FTBFS packages before they have
CVEs. Of course, we do have unmaintained software in the distribution
despite this policy, but the policy does lead to *fewer* unmaintained
packages, which means fewer packages with the above problems.
The FTBFS policy essentially is an "are you there?" to the maintainer.
It is a disservice to our users to provide them with unmaintained
packages, and this is one tool we have to find out if packagers are
still around.