From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.atof.net (smtp1.atof.net [52.86.233.228]) by sourceware.org (Postfix) with ESMTPS id DD8213858D1E for ; Thu, 12 Oct 2023 04:46:56 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DD8213858D1E Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=gluelogic.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gluelogic.com X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-Spam-Language: en X-Spam-Relay-Country: X-Spam-DCC: B=; R=smtp1.atof.net 1102; Body=1 Fuz1=1 Fuz2=1 X-Spam-RBL: X-Spam-PYZOR: Reported 0 times. Date: Thu, 12 Oct 2023 00:46:53 -0400 From: gs-cygwin.com@gluelogic.com To: Eric D Hendrickson Cc: "Hendrickson, Eric D" , "cygwin@cygwin.com" Subject: Re: Ruby EOL in Cygwin 3.4.9? Message-ID: References: <8cae1a30-cc92-cbea-4599-d7d550850ac5@cs.umass.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 List-Id: On Wed, Oct 11, 2023 at 11:15:40PM -0500, Eric D Hendrickson wrote: > Hello, > > Thanks for your reply. Again, to the point that this is an all volunteer > effort. > > And not taking away from any of what you said. > > However, sorry I was not more clear. The issue here is as follows. > > Is Cygwin as a whole not more important than any one package? > > Cygwin is distributing a suite of packages. Are you really saying that if > there were a 0day vulnerability discovered in an EOL package still being > distributed by Cygwin, that this would do no damage to the reputation of > Cygwin? > > How does Cygwin being an all volunteer effort have any bearing on this > question, other than the time and interest of the volunteers? > > Perhaps the volunteer team should consider adopting a process of evaluating > the support status of every package it redistributes, even at the expense > of slowing down the rate of releases. Or dropping packages when no one has > the time or interest in creating a package from a supported version of the > tool in question. > > Again for the benefit of Cygwin as a whole - distributing EOL packages > could put Cygwin as a whole at risk, which I'm sure you would agree is much > worse than dropping a package from the suite. > > This goes back to my other question - > > Is there an Issues log or backlog a la GitHub where bugs / enhancement > requests / feature suggestions like this can be logged for future > consideration / evaluation, instead of one off discussions in this > ephemeral medium of email? > > thank you and Cheers to you as well, > Eric > > On Wed, Oct 11, 2023 at 10:59 PM wrote: > > > On Wed, Oct 11, 2023 at 09:55:04PM -0500, Eric D Hendrickson via Cygwin > > wrote: > > > Sorry for the unclarity - I meant this for the whole list - not just you. > > > > > > Thank you so much for taking the time to respond. Like you said, this > > > really is all volunteers. > > > > > > For the whole list: > > > > > > Totally taking into account the all volunteer nature of Cygwin, would it > > > make sense to defer on further non-emergency releases of Cygwin until all > > > packages that are EOL have been updated? Since this is the case with > > ruby, > > > I am guessing it's likely the case with other packages in Cygwin too. > > > > > > Is there a Issues log of some sort (ala github) for Cygwin somewhere, so > > > that I can document this in the backlog and come back later to > > investigate > > > this myself if I have time this winter? > > > > > > > > > On Wed, Oct 11, 2023 at 8:11 PM Eliot Moss wrote: > > > > > > > On 10/11/2023 6:36 PM, Hendrickson, Eric D wrote: > > > > > Hi Eliot, > > > > > > > > > > Thanks for responding. That makes total sense. > > > > > > > > > > Totally taking into account the all volunteer nature of Cygwin, > > would it > > > > make sense to defer on further non-emergency releases of Cygwin until > > all > > > > packages that are EOL have been updated? Since this is the case with > > ruby, > > > > I am guessing it's likely the case with other packages in Cygwin too. > > > > > > > > > > Is there a backlog for Cygwin somewhere, so that I can investigate > > this > > > > myself if I have time this winter? > > > > > > > > > > Thank you and all the best, > > > > > Eric > > > > > > > > > > -----Original Message----- > > > > > From: Eliot Moss > > > > > Sent: Wednesday, October 11, 2023 5:03 PM > > > > > To: Hendrickson, Eric D ; cygwin@cygwin.com > > > > > Cc: Eric @ Gmail > > > > > Subject: Re: Ruby EOL in Cygwin 3.4.9? > > > > > > > > > > On 10/11/2023 12:37 PM, Hendrickson, Eric D via Cygwin wrote: > > > > >> Hello all, > > > > >> > > > > >> As a ~25 year user and sometime contributor to Cygwin, I support > > Cygwin > > > > here at my place of work. Does anyone know why we are deploying Ruby > > 2.6 > > > > which EOL about 18 months ago? > > > > >> > > > > >> https://www.ruby-lang.org/en/downloads/branches/ > > > > >> > > > > >> I'm concerned about proliferation of EOL versions of Ruby in case > > some > > > > security risk / 0Day is identified. > > > > >> > > > > >> Please advise. > > > > >> Eric Hendrickson > > > > > > > > You should send such things to the list, not me. I'm just > > > > a user who has only made occasional small contributions ... > > > > > > > > Eliot > > > > > > > > > If nobody has responded I can give a generic response: > > > > > "Because cygwin is all volunteer and someone has not volunteered, or > > did > > > > volunteer and is behind, or fell off the radar." > > > > > > > > > > Someone else will know how to look up if there is a currently > > registered > > > > volunteer for Ruby ... > > > > > > > > > > Eliot Moss > > > > > > > > > >> This e-mail, including attachments, may include confidential and/or > > > > >> proprietary information, and may be used only by the person or > > entity > > > > >> to which it is addressed. If the reader of this e-mail is not the > > > > >> intended recipient or intended recipient’s authorized agent, the > > > > >> reader is hereby notified that any dissemination, distribution or > > > > >> copying of this e-mail is prohibited. If you have received this > > e-mail > > > > >> in error, please notify the sender by replying to this message and > > > > delete this e-mail immediately. > > > > >> > > > > > > > > > > This e-mail, including attachments, may include confidential and/or > > > > > proprietary information, and may be used only by the person or entity > > > > > to which it is addressed. If the reader of this e-mail is not the > > > > intended > > > > > recipient or intended recipient’s authorized agent, the reader is > > hereby > > > > > notified that any dissemination, distribution or copying of this > > e-mail > > > > is > > > > > prohibited. If you have received this e-mail in error, please notify > > the > > > > > sender by replying to this message and delete this e-mail > > immediately. > > > > > > > > > > > > > > On Wed, Oct 11, 2023 at 09:55:04PM -0500, Eric D Hendrickson via Cygwin > > wrote: > > > For the whole list: > > > > > > Totally taking into account the all volunteer nature of Cygwin, would it > > > make sense to defer on further non-emergency releases of Cygwin until all > > > packages that are EOL have been updated? > > > > Absolutely not. That makes *zero* sense for an all volunteer group. > > > > Not every single package is important to everyone. > > (I am speaking personally, as maintainer of a single package on Cygwin.) > > > > You care about Ruby? Good. > > I do not use Ruby, so that is not important *to me*. > > > > If some specific packages are important to you, please consider finding > > the maintainers of those packages and offering to help maintain those > > packages. > > > > https://cygwin.com/cygwin-pkg-maint > > > > There are many ruby-* packages that have been orphaned. Have at it. :) > > > > Cheers, Glenn Your suggestions might be given slightly more weight if you made *any* substantive contribution besides sharing your questionable assumptions, and opinions on work that your think *other* people (who are volunteers) should do. Aside: The preference on this list is to bottom-post.