12 Nov
2011
12 Nov
'11
3:10 a.m.
On Fri, Nov 11, 2011 at 12:19, Ilya Chernykh <anixxsus(a)gmail.com> wrote:
Hi!
This is an extensive objection by a KDE4 developer against marketing and promoting KDE3
and/or Trinity.
I would like to see what can you say in response as it seems he expresses quite common
sentiments of distributions developers towards
KDE3.
KDE3 I can understand, as it is technically dead.
Trinity, however, is not.
1) Quality and security. Despite the KDE:KDE3 maintainer's high degree of
activity in packaging every KDE 3 app out there and adapting the KDE 3
platform to build on current distributions, it is a mistake to equate this
with sufficient maintenance to ensure adequate code quality to include this in
our distribution. The KDE 3 and Qt 3 codebases are massive, include code in
all the worst places to have a vulnerability, have been essentially
unmaintained for over 2 years now, and *include many known bugs and
vulnerabilities that have only been fixed in the 4 releases*.
This is nothing to do with Trinity.
Assurances that the project is now maintained upstream by the Trinity project
are hollow; the Trinity group is only a handful of people, none of whom are
the original maintainers or developers of the code, and most of their effort
is spent on writing a Qt4 compatibility layer and in porting the build system
to cmake, not maintenance. In any case, the packages in KDE:KDE3 are based on
3.5.10 and only include some changes from the Trinity project's fork, which is
now 3.5.12.
While this may be partially true, we are getting more help everyday.
The focus has currently shifted off a Qt4 compatibility layer to
maintenance and cmake, because not only is cmake vital to fixing build
problems, but that actually counts as maintenance. Also, we have
gotten Trinity to build on more recent environments, and plan to allow
it to do so for the future. We will always continue fixing bugs, and
patching up security holes. We will always welcome outside help to
this task, which has been gladly accepted.
The Qt4 compatibility layer is not top priority.
KDE:KDE3 is still stuck on 3.5.10, and therefore does not impact us.
It was your decision to keep it there.
openSUSE Factory maintainers made an error of judgement to resume including
KDE 3 packages while they demonstrably fulfil the latter 3 of our drop
criteria [2], and marketing should not join them in this.
This is regarding KDE:KDE3, so I will not comment on this.
As for Trinity, however, they do fulfill criteria.
It fulfills the latter three criteria well, so it works. And
openSUSE's Security Team can work with us.
--
later daze. :: Robert Xu :: rxu.lincomlinux.org :: protocol.by/rxu