[Nix-dev] Maintainership
Petr Rockai
me at mornfall.net
Wed Jan 29 13:32:54 CET 2014
Jan Malakhovski <oxij at oxij.org> writes:
> * First, this "remove unmaintained" policy discourages adding new
> packages to the public nixpkgs by users that are unable to maintain
> stuff. In the example above, I would better store the package in my
> own branch than risk it being unexpectedly removed. This would
> probably imply duplication of work in case somebody else will want to
> have it at some later point. I wouldn't search all the nixpkgs' forks
> for a possibility that somebody already has an expression for this
> package.
It is a trade-off. Broken packages can be more overhead than duplication
of work. If you make a package that works for you, push it to nixpkgs
and abandon it, the next person will find it broken for his purpose, fix
it and in the process break it for you. You will both spend time
debugging the package. If one of the two users was a maintainer, the
other could come to him and they can figure out something that works for
both. If there is no maintainer and you update once in a while, you can
end up ping-ponging fixes and counterfixes.
> I would rather drop this "remove unmaintained" altogether, at least
> for current requirements for being a maintainer (especially about the
> "timely fashion"). Marking unmaintained (or even better: unmaintained
> and potentially exploitable (which I would define as: it's a daemon or
> some other package uses it)) packages broken and notifying
> contributors about this fact looks okay.
Even things that are marked as broken involve cognitive overhead when
working on nixpkgs. They clutter up the source, often use outdated
idioms, they hold up or complicate changes in support code. It's like a
closet, it's hard to get at the things you actually use when it's full
of junk.
As for exploitable, that's an extremely conservative approach you
suggest. I'm wondering if a remote code execution vulnerability in your
browser or e-mail client is of no concern to you. :-) Or a PDF reader?
Flash plugin? There have been countless security breaches due to bugs in
non-daemon, leaf packages.
Petr
--
id' Ash = Ash; id' Dust = Dust; id' _ = undefined
More information about the nix-dev
mailing list