On 01/17/2012 09:54 AM, Stephen Gallagher wrote:
On Tue, 2012-01-17 at 02:21 +0100, Kevin Kofler wrote:
> While that makes some sense, it was not my point. My point was that even if
> the package has NO maintainer, as long as it works, it's still better than
> no package at all!
Not true. A package that appears to work, has people using it, but has
no one maintaining it is likely to become a package that has exploitable
security issues.
I'm in favor of retiring unmaintained packages. At worst, it will
encourage someone to step up to re-add it if it is actually important.
I am more with Kevin on this one---absence of evidence of security is
not evidence of absence of security. We should require actual
manifestations of bit rot (bug reports, vulnerability records) before we
consider abandoning packages.