X-Recipient: archive-cygwin AT delorie DOT com DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 016383858D1E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com; s=default; t=1697086055; bh=rNK8yQLkgGwKEzuOGk2BOs6hv6UUsV6YDgAle3AGJSo=; h=Date:To:Cc:Subject:References:In-Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=vgJuOKotHJZsdhKLC2eKF9P8h9c/oPhbCmKH74BCcGQkbiz8ZHZOY28MLrGUdSWt7 IGqYhADZu+ZzuWPECt0Z4fbkxOSF5tYl4yCoas9T3brHWodwe+dduwWBraBWgaelaB /nHX2Jh2EaHcKp5dzNIgIhLHgBqG7bY1rsQS56EA= X-Original-To: cygwin AT cygwin DOT com Delivered-To: cygwin AT cygwin DOT com DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DD8213858D1E X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-Spam-Language: en X-Spam-Relay-Country: X-Spam-DCC: B=; R=smtp1.atof.net 1102; Body=1 Fuz1=1 Fuz2=1 X-Spam-RBL: X-Spam-PYZOR: Reported 0 times. Date: Thu, 12 Oct 2023 00:46:53 -0400 To: Eric D Hendrickson Cc: "Hendrickson, Eric D" , "cygwin AT cygwin DOT com" Subject: Re: Ruby EOL in Cygwin 3.4.9? Message-ID: References: <8cae1a30-cc92-cbea-4599-d7d550850ac5 AT cs DOT umass DOT edu>

MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-BeenThere: cygwin AT cygwin DOT com X-Mailman-Version: 2.1.30 Precedence: list List-Id: General Cygwin discussions and problem reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: "gs-cygwin.com--- via Cygwin" Reply-To: gs-cygwin DOT com AT gluelogic DOT com Content-Type: text/plain; charset="utf-8" Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com Sender: "Cygwin" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 39C4lZMu026574 On Wed, Oct 11, 2023 at 11:15:40PM -0500, Eric D Hendrickson wrote: > Hello, > > Thanks for your reply. Again, to the point that this is an all volunteer > effort. > > And not taking away from any of what you said. > > However, sorry I was not more clear. The issue here is as follows. > > Is Cygwin as a whole not more important than any one package? > > Cygwin is distributing a suite of packages. Are you really saying that if > there were a 0day vulnerability discovered in an EOL package still being > distributed by Cygwin, that this would do no damage to the reputation of > Cygwin? > > How does Cygwin being an all volunteer effort have any bearing on this > question, other than the time and interest of the volunteers? > > Perhaps the volunteer team should consider adopting a process of evaluating > the support status of every package it redistributes, even at the expense > of slowing down the rate of releases. Or dropping packages when no one has > the time or interest in creating a package from a supported version of the > tool in question. > > Again for the benefit of Cygwin as a whole - distributing EOL packages > could put Cygwin as a whole at risk, which I'm sure you would agree is much > worse than dropping a package from the suite. > > This goes back to my other question - > > Is there an Issues log or backlog a la GitHub where bugs / enhancement > requests / feature suggestions like this can be logged for future > consideration / evaluation, instead of one off discussions in this > ephemeral medium of email? > > thank you and Cheers to you as well, > Eric > > On Wed, Oct 11, 2023 at 10:59 PM wrote: > > > On Wed, Oct 11, 2023 at 09:55:04PM -0500, Eric D Hendrickson via Cygwin > > wrote: > > > Sorry for the unclarity - I meant this for the whole list - not just you. > > > > > > Thank you so much for taking the time to respond. Like you said, this > > > really is all volunteers. > > > > > > For the whole list: > > > > > > Totally taking into account the all volunteer nature of Cygwin, would it > > > make sense to defer on further non-emergency releases of Cygwin until all > > > packages that are EOL have been updated? Since this is the case with > > ruby, > > > I am guessing it's likely the case with other packages in Cygwin too. > > > > > > Is there a Issues log of some sort (ala github) for Cygwin somewhere, so > > > that I can document this in the backlog and come back later to > > investigate > > > this myself if I have time this winter? > > > > > > > > > On Wed, Oct 11, 2023 at 8:11 PM Eliot Moss wrote: > > > > > > > On 10/11/2023 6:36 PM, Hendrickson, Eric D wrote: > > > > > Hi Eliot, > > > > > > > > > > Thanks for responding. That makes total sense. > > > > > > > > > > Totally taking into account the all volunteer nature of Cygwin, > > would it > > > > make sense to defer on further non-emergency releases of Cygwin until > > all > > > > packages that are EOL have been updated? Since this is the case with > > ruby, > > > > I am guessing it's likely the case with other packages in Cygwin too. > > > > > > > > > > Is there a backlog for Cygwin somewhere, so that I can investigate > > this > > > > myself if I have time this winter? > > > > > > > > > > Thank you and all the best, > > > > > Eric > > > > > > > > > > -----Original Message----- > > > > > From: Eliot Moss > > > > > Sent: Wednesday, October 11, 2023 5:03 PM > > > > > To: Hendrickson, Eric D ; cygwin AT cygwin DOT com > > > > > Cc: Eric @ Gmail > > > > > Subject: Re: Ruby EOL in Cygwin 3.4.9? > > > > > > > > > > On 10/11/2023 12:37 PM, Hendrickson, Eric D via Cygwin wrote: > > > > >> Hello all, > > > > >> > > > > >> As a ~25 year user and sometime contributor to Cygwin, I support > > Cygwin > > > > here at my place of work. Does anyone know why we are deploying Ruby > > 2.6 > > > > which EOL about 18 months ago? > > > > >> > > > > >> https://www.ruby-lang.org/en/downloads/branches/ > > > > >> > > > > >> I'm concerned about proliferation of EOL versions of Ruby in case > > some > > > > security risk / 0Day is identified. > > > > >> > > > > >> Please advise. > > > > >> Eric Hendrickson > > > > > > > > You should send such things to the list, not me. I'm just > > > > a user who has only made occasional small contributions ... > > > > > > > > Eliot > > > > > > > > > If nobody has responded I can give a generic response: > > > > > "Because cygwin is all volunteer and someone has not volunteered, or > > did > > > > volunteer and is behind, or fell off the radar." > > > > > > > > > > Someone else will know how to look up if there is a currently > > registered > > > > volunteer for Ruby ... > > > > > > > > > > Eliot Moss > > > > > > > > > >> This e-mail, including attachments, may include confidential and/or > > > > >> proprietary information, and may be used only by the person or > > entity > > > > >> to which it is addressed. If the reader of this e-mail is not the > > > > >> intended recipient or intended recipient’s authorized agent, the > > > > >> reader is hereby notified that any dissemination, distribution or > > > > >> copying of this e-mail is prohibited. If you have received this > > e-mail > > > > >> in error, please notify the sender by replying to this message and > > > > delete this e-mail immediately. > > > > >> > > > > > > > > > > This e-mail, including attachments, may include confidential and/or > > > > > proprietary information, and may be used only by the person or entity > > > > > to which it is addressed. If the reader of this e-mail is not the > > > > intended > > > > > recipient or intended recipient’s authorized agent, the reader is > > hereby > > > > > notified that any dissemination, distribution or copying of this > > e-mail > > > > is > > > > > prohibited. If you have received this e-mail in error, please notify > > the > > > > > sender by replying to this message and delete this e-mail > > immediately. > > > > > > > > > > > > > > On Wed, Oct 11, 2023 at 09:55:04PM -0500, Eric D Hendrickson via Cygwin > > wrote: > > > For the whole list: > > > > > > Totally taking into account the all volunteer nature of Cygwin, would it > > > make sense to defer on further non-emergency releases of Cygwin until all > > > packages that are EOL have been updated? > > > > Absolutely not. That makes *zero* sense for an all volunteer group. > > > > Not every single package is important to everyone. > > (I am speaking personally, as maintainer of a single package on Cygwin.) > > > > You care about Ruby? Good. > > I do not use Ruby, so that is not important *to me*. > > > > If some specific packages are important to you, please consider finding > > the maintainers of those packages and offering to help maintain those > > packages. > > > > https://cygwin.com/cygwin-pkg-maint > > > > There are many ruby-* packages that have been orphaned. Have at it. :) > > > > Cheers, Glenn Your suggestions might be given slightly more weight if you made *any* substantive contribution besides sharing your questionable assumptions, and opinions on work that your think *other* people (who are volunteers) should do. Aside: The preference on this list is to bottom-post. -- Problem reports: https://cygwin.com/problems.html FAQ: https://cygwin.com/faq/ Documentation: https://cygwin.com/docs.html Unsubscribe info: https://cygwin.com/ml/#unsubscribe-simple