A couple of days ago I looked at p7zip and noticed that it’s basically unmaintained upstream and full of holes. Now I’m looking at libid3tag and… last upstream release 2004, multiple CVEs with patches floating around the internet. Just DOS, though.
Basically I’ve got a 100% hit rate when going through broken.sh right now for unmaintained upstreams.
So I’m wondering, what’s the correct time to deprecate software in nixpkgs?
Some small software projects may well be (mostly) feature complete with no important bugs and had their last release more than 10 years ago. That could be totally fine.
For other projects there is no developer anymore and the software has severall security critical bugs.
Where do we draw the line?
Do dependencies that other software have on that project influence our decision?
Personally I’d only mark dormant projects with a known CVE that isn’t fixed upstream and ignore how long there has not been a new release.
What’s your take on this? And is meta.knownVulnerabilities a good tag for this?