Re: Proposed ports deprecation and removal policy

> On 16. Mar 2024, at 10:45, void <void@f-m.fm> wrote:
> 
> On Sat, 16 Mar 2024, at 08:28, Miroslav Lachman wrote:
> 
>> For vulnerabilities, there is VuXML and pkg audit, not removing 
>> vulnerable port from the tree.
> 
> I'm talking about *moving* them to a *different* tree, with different 
> priorities, so preserving choice while implicitly informing of risks,
> and decreasing the maintenance burden to those running port infra.
> I'd imagine some threshold would need to be decided on.
> 
>> If you are asking to remove ports without maintainer, you are asking to 
>> remove 3458 ports right now, and many others depends on these 
>> unmaintained ports, so the impact will be much bigger.
>> Some unmaintained ports are almost vital - for example without 
>> virtual_oss you cannot use Bluetooth headphones / speakers connected to 
>> FreeBSD.
> 
> I'm not asking to remove anything, just move to a different tree.

Yeah, it’s like after a failed investment your money is not really gone, it’s just somewhere else.

> People could
> follow one or the other depending on their (for example) security posture. 
> They'd be able to easily make an informed choice.
> -- 

Seriously, the “other” tree would rot in no time, this is not practical (it’s also interesting how the discussion moved from ‘ports unmaintained upstream’ to ‘ports without a maintainer’). If the goal is to have a pure system nobody uses, please go ahead.

I (still) think an approach where `pkg audit`warns about unmaintained ports (and ports without an upstream maintainer), maybe even having config options that prevent the installation of such ports - which could be on by default - would be a way to allow people to make informed decisions without removing these ports from the tree.

-m