On Fri, 2023-11-03 at 11:07 +0100, Dan Čermák via openSUSE Factory wrote:
Dear all,
due to Hashicorp changing the license of vagrant to the BUSL, we can no longer update vagrant in openSUSE. I don't have the cycles to maintain vagrant myself indefinitely and plan to send a delete request at the end of November to Factory. Once that goes in, I also plan to remove the Virtualization:vagrant project to reduce the number of rubygems we have in openSUSE.
If you don't like this plan and decide to scream at me, please scream an actionable plan that involves you :-)
I won't scream, but I can't quite understand why the project and the TW package have to be deleted so quickly. Can't we just freeze the current package and keep it for some time? We are keeping old vagrant versions around in Leap repositories, are they going to be removed as well? Hashicorp has announced that "Security fixes will be backported under MPL 2.0 through December 31, 2023", but the package doesn't seem to have a history of many CVE fixes (current changelog mentions only one, from 2020). I can see that having it in the official repo may be problematic if you step back as maintainer and nobody else volunteers. But we should be able to provide an installable TW package in some OBS project. Otherwise, people who depend on vagrant will be forced to download the binary from hashicorp. I strongly doubt that they'll be better off with that than using a 2.3.7 package from OBS. Sure, the day will come when some dependencies can't be satisfied any more, and vagrant will simply cease to work. But that day isn't near yet. Until then, we could add a BIG FAT WARNING to the package telling users that it's frozen. Regards Martin