Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Sat, 2012-10-06 at 01:12 +0200, Till Maas wrote: I believe this was only the case with earlier updates. At least I did not notice the problem with the current update and there was no negative karma to the F17 update during 91 days saying otherwise. I was the the one who gave bad karma to the F16 update, because it didn't upgrade the gconf settings properly. This is not some earlier version of the update, but the same version that has been submitted to stable. In my opinion, we should weight the impact of the security issue (see: http://lists.fedoraproject.org/pipermail/devel/2012-June/168616.html) against manual intervention the user has to do to get Revelation usable again (manually deleting the ~/.gconf/schemas/apps/revelation folder). Therefore, I'm against pushing the update to stable. Regards, Tadej -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Sat, 6 Oct 2012 00:32:50 +0200 Till Maas opensou...@till.name wrote: Hi, I noticed that the revelation security update was not pushed to stable. It is now 91 days old, which makes me suspect that Jef is somehow hindered to take care of it: https://admin.fedoraproject.org/updates/FEDORA-2012-10269/revelation-0.4.14-1.fc17 https://admin.fedoraproject.org/updates/FEDORA-2012-10314/revelation-0.4.14-1.fc16 :( I remember he was very eager to push it in a timely manner. I already wrote an e-mail to revelation-owner at 21 August. Can someone with the appropriate permissions please push the updates to stable? Done. It might also be a good idea to look after his 18 other packages: https://admin.fedoraproject.org/pkgdb/users/packages/jspaleta?acls=owner Please see: http://lists.fedoraproject.org/pipermail/devel/2012-August/170690.html and the vacation page, where he noted he would be out of contact: http://fedoraproject.org/wiki/Vacation kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Fri, Oct 5, 2012 at 2:32 PM, Till Maas opensou...@till.name wrote: I noticed that the revelation security update was not pushed to stable. It is now 91 days old, which makes me suspect that Jef is somehow hindered to take care of it: Here's the problem with that update it breaks existing revelation setups for people because of the gconf schema change. Upstream has seen it happen in upstream bug reports. You have to nuke the gconf settings manually. If I could find a way to avoid it from happening I'd have pushed this update well ahead of my travel to the ass end of the pacific ocean. As it stands I'm taking myself off the vacation list as of this evening. But it doesn't change anything. The problem with the gconf munching is still there. I still don't have a solution for it. And noone else I've asked seems to have one either. WTF is going on with the gconf stuff that is preventing the schema change from gracefully taking affect? What do I need to change in the packaging to get it working so that the most you have to do is logout and log back into your desktop again? -jef -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Fri, Oct 5, 2012 at 2:57 PM, Jeff Spaleta jspal...@fedoraproject.org wrote: Here's the problem with that update it breaks existing revelation setups for people because of the gconf schema change. I'll add that the additional wrinkle is that once you move to the new version, it updates the encryption on your database...which is great..but then you can't downgrade back to a version that works with the gconf settings already in your user space. So for unsuspecting users they end up with a revelation with strong encryption but with egregiously broken ui.. you can search... you cant generate new passwords..its all borked.,..until you nuke the gconf settings manually. So the fact that you can't downgrade to the old version because of the encryption change... i'm not keen on pushing this until someone has a fix for the gconf stuff. -jef -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
Ugh. Shall I unpush those from going stable then until this is figured? Sorry about that... kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Fri, Oct 5, 2012 at 3:06 PM, Kevin Fenzi ke...@scrye.com wrote: Ugh. Shall I unpush those from going stable then until this is figured? Sorry about that... I am a firm believer in the Pottery Barn rule. You break it you buy it. If you feel this is important enough of a security fix to break ui then push it as an update, as long as you take point on unwinding the ui damage. F18 will have it out of the box regardless. The other thing to note is that for anyone who uses the revelation key file across multiple systems, once you upgrade to this version your other system with the older revelation can't open the file any more. An additional wrinkle I don't think anyone has considered. People trying to use revelation out of the box for F18 and then using that file on another linux distribution is going to be for a big surprise. See any other desktop oriented distros moving to the new version in their latest or upcoming releases? Revelation upstream was effectively dead for so long, I doubt many people have noticed it was forked and given a new upstream hope... or even noticed the encryption weakness when it was announced. -jef -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Fri, 5 Oct 2012 15:20:16 -0800 Jef Spaleta jspal...@gmail.com wrote: On Fri, Oct 5, 2012 at 3:06 PM, Kevin Fenzi ke...@scrye.com wrote: Ugh. Shall I unpush those from going stable then until this is figured? Sorry about that... I am a firm believer in the Pottery Barn rule. You break it you buy it. If you feel this is important enough of a security fix to break ui then push it as an update, as long as you take point on unwinding the ui damage. Well, I don't use it, I just wanted to provide the security update. If you don't think it's worth pushing as a maintainer due to the breakage, I can move it back to testing. F18 will have it out of the box regardless. yeah. The other thing to note is that for anyone who uses the revelation key file across multiple systems, once you upgrade to this version your other system with the older revelation can't open the file any more. An additional wrinkle I don't think anyone has considered. People trying to use revelation out of the box for F18 and then using that file on another linux distribution is going to be for a big surprise. See any other desktop oriented distros moving to the new version in their latest or upcoming releases? Revelation upstream was effectively dead for so long, I doubt many people have noticed it was forked and given a new upstream hope... or even noticed the encryption weakness when it was announced. Fun. kevin signature.asc Description: PGP signature -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days
On Fri, 2012-10-05 at 14:57 -0800, Jeff Spaleta wrote: On Fri, Oct 5, 2012 at 2:32 PM, Till Maas opensou...@till.name wrote: 25 minutes for an 'unresponsive maintainer' to respond, that has to be some sort of project record. =) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel