| 2 Nov 2024 |
 Tomodachi94 (they/them) | * If not for the listed maintainer that hasn't touched it since 2018, it would be eligible for dropping under that new RFC too (RFC 180) | 02:02:59 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
gotta resist the mentality of being responsible for every package that the maintainers clearly haven't taken responsibility for Yes, 100%, I've fallen into this trap several times | 02:03:40 |
 emily | In reply to @tomodachi94:matrix.org
If not for the listed maintainer that hasn't touched it since 2018, it would be eligible for dropping under that new RFC too (RFC 180) we have regular silly disagreements about removing inactive maintainers | 02:04:27 |
| emily | but yes, under any reasonable policy that maintainer would be removed from Nixpkgs soon (no slight against them! just a reflection of reality that they aren't maintaining packages) and then this package would die a natural death a while after | 02:04:55 |
| emily | in the absence of functioning process, might as well skip to the conclusion | 02:05:10 |
| Tomodachi94 (they/them) | Apparently Anderson Torres is drafting an RFC to drop vanishing maintainers too, but I have no clue when that will happen | 02:05:33 |
| Tomodachi94 (they/them) | * Apparently Anderson Torres is drafting an RFC to drop "vanishing" maintainers too, but I have no clue when that will happen | 02:05:41 |
| emily | there's an asymmetry in Nixpkgs where our package inclusion standards are very low – we let in so many packages that we can't afford to make it rough to drop dormant ones | 02:05:52 |
| emily | (not in contradiction with our review process being very bikesheddy: people will bikeshed all day about your Nix expression but rarely will they ask if it's worth packaging something at all) | 02:06:13 |
| Tomodachi94 (they/them) | I'm going to make the drop PR and see if the maintainer cares at all | 02:06:30 |
| Tomodachi94 (they/them) | If the maintainer doesn't respond in a few days, <Merge pull request> :) | 02:06:54 |
| emily | sure, maybe just roll it into the oraclejdk drop? | 02:07:03 |
| emily | and if you could update the manual section to not reference it in that one too that'd be great | 02:07:16 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
sure, maybe just roll it into the oraclejdk drop? Maybe. I'm going to hunt for CVEs for it as well, so there's slightly stronger justification | 02:07:43 |
| emily | probably not many people filing CVEs for a proprietary Java Card devkit I imagine | 02:08:04 |
| Tomodachi94 (they/them) | * Maybe. I'm going to hunt for CVEs for javacard-devkit as well, so there's slightly stronger justification | 02:08:05 |
| emily | IMO the justification is: it depends on a package being removed for being an unmaintained security disaster, is many years of out of date compared to what we could be packaging (there are modern Linux versions: https://www.oracle.com/java/technologies/javacard-downloads.html#sdk-sim), and it has been untouched since 2018 so there is no reason to expect that the former two will be resolved (and it's not your job to do so) | 02:09:54 |
| Tomodachi94 (they/them) | Yeah fair. I'm finding 3 CVEs for the hardware itself, but nothing for the devkit | 02:09:55 |
| Tomodachi94 (they/them) | (meant to be in reply to your message before justification) | 02:10:56 |
| Tomodachi94 (they/them) | shakes fist at Atlassian Confluence & Crowd & Jira, and Docear packages for having an obscured dependency on oraclejre | 02:19:21 |
| emily | oh boy | 02:21:40 |
| emily | Atlassian only supports the Oracle JRE (JRASERVER-46152).
| 02:21:49 |
| emily | 🤡 | 02:21:51 |
| Tomodachi94 (they/them) | So much for dropping OracleJDK/JRE 🤡 | 02:22:20 |
| emily | are you sure? | 02:22:27 |
| emily | you assume that these packages are, themselves, maintained | 02:22:40 |
| emily | damn apparently at least one of them is | 02:22:59 |
| emily | anyway, Atlassian definitely won't support running on an Oracle JDK from 2021 | 02:23:14 |
| Tomodachi94 (they/them) | The Atlassian stuff is in the NixOS modules (I suspect it should actually be something configured in the package, but I digress) | 02:23:52 |
| emily | https://jira.atlassian.com/browse/JRASERVER-46152 | 02:24:01 |
