Il giorno sab, 12/03/2011 alle 11.09 -0600, Donnie Berkholz ha scritto: > > > I'm assuming you're talking only about broken builds here and not > "QA-only" bugs. My opinion is that if a tinderbox QA script is the > only > thing finding a nonfatal bug, and it's never reported or CC'd by a > user, > then it's about as low priority as you can get.
Not really. An user would never report that the package is bundling libraries, but that is actually pretty high in priority as it can lead to hidden security issues already resolved in the original library to sneak in the system. At the same time, very few users report ignored variables (CC, CFLAGS, LDFLAGS, ...) but they are just the same a problem. Especially when hardening flags are not used at all. > So this might serve as a pointer to potentially unmaintained > packages, > but clearly more investigation is required before removal. There is always the need to do manual investigation. But in general when you see a package that - ignores LDFLAGS; - shows fortify source warnings; - ignores CC; - misuses autotools; - bundle libraries. you can pretty safely assume neither somebody is looking after it, nor using it. -- Diego Elio Pettenò — Flameeyes http://blog.flameeyes.eu/
