Re: [gentoo-dev] A Gentle Reminder
Both sides have valid points: 1) we should remove vulnerable cruft from the tree 2) we should not break dependencies for any arch, regardless of their response time I believe some communication adjustments could avoid unnecessary conflict. If a package cannot be removed because a newer version must stabilized first in $arch, use something like this: $arch, Please stabilize package X, for earlier versions have security vulnerabilities. For more information, see GLSA-. When (and only then) there are no impediments, use something like this: $maintainer, Please remove versions Y and earlier of package X, for they have security vulnerabilities. All architectures already have a newer version stable and will not be affected. For more information, see GLSA-. Let us not get at each others throats over this, we are better than that! Cheers, Marcelo On 2/11/07, Jakub Moc [EMAIL PROTECTED] wrote: Matti Bickel napsal(a): How about cc'ing arches, which are affected by this? You still get your point across and maybe arches move it up their priority list if they see a removal b/c of centuries old vulnerabilities. I did CC mips, and did write that it needs version x.y.z stabilized first. Sorry, enough babysitting here, either devs can read or they shouldn't have commit access. Period. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) -- Marcelo Góes -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Thu, 8 Feb 2007 22:34:32 + Stephen Bennett [EMAIL PROTECTED] wrote: If any of you were thinking of removing the latest stable version of a package, don't. Even if you're the package maintainer, even if there are open security bugs against it, even if someone has filed you a bug requesting that it be removed. If it's the latest stable version on any architecture, you don't remove it. If you do, we'll know, and we won't be happy. There. It's not that hard to understand, is it? Do you object to such packages (specifically with security issues) being p.masked? I'm not sure we should be encouraging people to continue using packages when we know there are known security issues. -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 13:22:48 +0100 Kevin F. Quinn [EMAIL PROTECTED] wrote: | Do you object to such packages (specifically with security issues) | being p.masked? If it's forcing a downgrade, yes. | I'm not sure we should be encouraging people to continue using | packages when we know there are known security issues. You assume that being affected by a local denial of service on a system where all users have the root password is more important than using a package that has been verified to work by an arch team member. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin F. Quinn wrote: Do you object to such packages (specifically with security issues) being p.masked? I'd say drop all but the slacking arch's keywords, as Luca suggested. It may well be one of the security-unsupported arches anyway. - -- Vlastimil Babka (Caster) Gentoo/Java -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFzw2vtbrAj05h3oQRAkYKAJ9OrSazZHmSjDiv9rDh5kXU3k+J5gCdGhcZ eV55R7A3HE633efoE+it1gM= =fOsh -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sunday 11 February 2007, Ciaran McCreesh wrote: On Sun, 11 Feb 2007 13:22:48 +0100 Kevin F. Quinn | I'm not sure we should be encouraging people to continue using | packages when we know there are known security issues. You assume that being affected by a local denial of service on a system where all users have the root password is more important than using a package that has been verified to work by an arch team member. wonder if there'd be a way of levaraging the glsa access tags ... if (remote in access) screw over $ARCH in KEYWORDS -mike pgpE2MsX9nxWz.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 07:56:29 -0500 Mike Frysinger [EMAIL PROTECTED] wrote: wonder if there'd be a way of levaraging the glsa access tags ... if (remote in access) screw over $ARCH in KEYWORDS -mike If it's a security-unsupported arch we probably don't even care about that enough to lose keywords. If a particular sysadmin does care about security of his unsupported experimental systems, he can use his package manager's capabilities to remove insecure packages rather than us forcing it on everyone. When it comes to this sort of machine, working beats secure but broken any day. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 12:33:52 + Ciaran McCreesh [EMAIL PROTECTED] wrote: On Sun, 11 Feb 2007 13:22:48 +0100 Kevin F. Quinn [EMAIL PROTECTED] wrote: | Do you object to such packages (specifically with security issues) | being p.masked? If it's forcing a downgrade, yes. | I'm not sure we should be encouraging people to continue using | packages when we know there are known security issues. You assume that being affected by a local denial of service on a system where all users have the root password is more important than using a package that has been verified to work by an arch team member. I said nothing about local denial of service; perhaps you're thinking of a particular instance - I'm not. To rhetorically follow your line of discussion, you're happy to have remote exploits remain in the tree (i.e. promoted by Gentoo) if a package is marked stable and a patch isn't available? The point about p.masking (rather than removal) is that we have then made reasonable efforts to inform the user and give them the opportunity to decide what they want to do, based on their own security policy - which could be to unmask locally and continue regardless, or could be to remove the package and try something else. That way they'd be making informed decisions. I think if we're to promote packages that have security issues on an arch, we need to be very clear that we're not making reasonable efforts to ensure that arch is free of known exploits. -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007, Kevin F. Quinn wrote: I think if we're to promote packages that have security issues on an arch, we need to be very clear that we're not making reasonable efforts to ensure that arch is free of known exploits. I agree. The term promote is perhaps a little bit exaggerated, but a vulnerabilities monitoring is useful only if it's exhaustive - so far as possible. If, say, 5% of security weaknesses are voluntarily kept in portage, that means that the security concerned users can't rely on GLSAs and package.mask: they should rely on their own security vulnerabilities monitoring, and that means we've failed. But a temporary masking GLSA which would not cover all arches may be acceptable, without abuse. I still prefer see vulnerable packages in p.mask with a 2-lines short comment and the bug number. Cheers, -- Raphael Marichez aka Falco pgpVFyU0ilqVU.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 15:42:33 +0100 Kevin F. Quinn [EMAIL PROTECTED] wrote: | I said nothing about local denial of service; perhaps you're thinking | of a particular instance - I'm not. To rhetorically follow your line | of discussion, you're happy to have remote exploits remain in the tree | (i.e. promoted by Gentoo) if a package is marked stable and a patch | isn't available? You're trying to use the blanket justification of it's security to break the tree, regardless of the severity of the vulnerability and the impact of the fix. This is not a reasonable approach, and it leads people to go around screaming at developers to go around keywording things without proper testing, regardless of impact. Here's an alternative policy that makes much more sense: * Drop keywords from vulnerable versions as stable versions are keyworded. * Don't remove packages that will end up breaking the tree or forcing downgrades; conversely, when vulnerable packages *can* be removed safely, do so. * If an arch team is lagging behind on a serious vulnerability, people who are not Jakub politely asking for updates now and again is ok. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh [EMAIL PROTECTED] wrote: On Sun, 11 Feb 2007 15:42:33 +0100 Kevin F. Quinn wrote: | I said nothing about local denial of service; perhaps you're thinking | of a particular instance - I'm not. To rhetorically follow your line | of discussion, you're happy to have remote exploits remain in the tree | (i.e. promoted by Gentoo) if a package is marked stable and a patch | isn't available? You're trying to use the blanket justification of it's security to break the tree, regardless of the severity of the vulnerability and the impact of the fix. And i understood he argued quite the opposite. To my knowledge the security team p.masks common (type A and B) packages, and i'm sure they don't do this for nothing, though i agree that probably should be left for severity normal. In all other cases, a temporary GLSA, as already outlined on the team's project page, should suffice. But then, i've no say in this and i trust those people to take responsible action to protect gentoo's users (you and me among them). This is not a reasonable approach, and it leads people to go around screaming at developers to go around keywording things without proper testing, regardless of impact. My reading of that target date on http://www.gentoo.org/security/en/vulnerability-policy.xml allows for testing with regard to impact -- the response time (and thus possible testing time) should be reciprocal to the severity of the vulnerability. Here's an alternative policy that makes much more sense: * Drop keywords from vulnerable versions as stable versions are keyworded. Um, not sure i understand you correctly here: you're suggesting security team drops the affected package keywords and let arch teams readd stable to the new ones? This forces downgrades just like p.masking them... Basically, as a systems administrator, you have to act on a GLSA. If that means unmasking or readding keywords, i don't care. * Don't remove packages that will end up breaking the tree or forcing downgrades; conversely, when vulnerable packages *can* be removed safely, do so. And is/should be done right now :-) * If an arch team is lagging behind on a serious vulnerability, people who are not Jakub politely asking for updates now and again is ok. That's why we have security contacts on every supported arches... They're supposed to handle that, and the policy is quite clear what happens if they fail (not implying they do...) Uh, such a lenghty email, hope my point comes across: the sec team does a good job, imho afaik :-) -- Regards, Matti Bickel Homepage: http://www.rateu.de Encrypted/Signed Email preferred pgpaTCxkTupts.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 17:18:45 +0100 Matti Bickel [EMAIL PROTECTED] wrote: | And i understood he argued quite the opposite. To my knowledge the | security team p.masks common (type A and B) packages, and i'm sure | they don't do this for nothing, though i agree that probably should be | left for severity normal. Here's the thing though. Masking too early breaks the tree. This causes no end of problems for arch teams who are then left having to fix not only that but all the associated problems when developers start removing keywords to shut repoman up (which in turn leads to more broken deps...). That's the issue here. | This is not a reasonable approach, and it leads | people to go around screaming at developers to go around keywording | things without proper testing, regardless of impact. | | My reading of that target date on | http://www.gentoo.org/security/en/vulnerability-policy.xml | allows for testing with regard to impact -- the response time (and | thus possible testing time) should be reciprocal to the severity of | the vulnerability. You're assuming that all archs have enough spare time and developers to be able to look at some security bug on an app that only had keywords because someone keyworded it to shut repoman up straight away. This isn't the case -- given a choice between, say, getting up to date KDE or Gnome releases or a security vulnerability for some app with two users, the security vulnerability quite rightly loses. | Here's an alternative policy that makes much more sense: | | * Drop keywords from vulnerable versions as stable versions are | keyworded. | | Um, not sure i understand you correctly here: | you're suggesting security team drops the affected package keywords | and let arch teams readd stable to the new ones? No. Arch teams could drop keywords from vulnerable versions at the same time they stable unaffected versions. | * Don't remove packages that will end up breaking the tree or | forcing downgrades; conversely, when vulnerable packages *can* be | removed safely, do so. | | And is/should be done right now :-) No, what's done right now is that Jakub files whiny bugs demanding immediate action from arch teams but assigning the bugs to package maintainers, resulting in dropped keywords because the maintainers assume that they can rely upon Jakub's bug descriptions being correct. Several recent incidents like this are what prompted the initial email. | * If an arch team is lagging behind on a serious vulnerability, | people who are not Jakub politely asking for updates now and again | is ok. | | That's why we have security contacts on every supported arches... | They're supposed to handle that, and the policy is quite clear what | happens if they fail (not implying they do...) And unsupported archs? They're mostly the ones being screwed over here. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): | * Don't remove packages that will end up breaking the tree or | forcing downgrades; conversely, when vulnerable packages *can* be | removed safely, do so. | | And is/should be done right now :-) No, what's done right now is that Jakub files whiny bugs demanding immediate action from arch teams but assigning the bugs to package maintainers, resulting in dropped keywords because the maintainers assume that they can rely upon Jakub's bug descriptions being correct. Several recent incidents like this are what prompted the initial email. Hey, kindly leave me alone... - I'm *not* demanding anything from *arch teams*, the bugs are for *maintainers* of those packages. I've already told you couple of times, why are you making these misleading statements yet again? - Not my problem that maintainers didn't check keywords on removal (even on bugs where mips is CCed). Developers are supposed to use *brain* when punting vulnerable versions (like with any other commit). - Also not my problem that $arch is still affected by such bugs months or even years after respective GLSAs have been issued (which has caused the ebuilds to still stay in the tree and hence made me file the bugs). Before I've started filing these bugs, we had vulnerable crap back from ~2004 lingering in the tree. - Leaving vulnerable junk in the tree for an indefinite period of time sucks and is causing needless work for maintainers. We lack any policy on this, but if some arch can't act for over a year, they deserve to get the keywords dropped and get their deptree broken, sorry. Not maintainers' fault that noone has cared enough. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | - I'm *not* demanding anything from *arch teams*, the bugs are for | *maintainers* of those packages. I've already told you couple of | times, why are you making these misleading statements yet again? And yet, somehow developers are interpreting your bugs as requests to remove packages straight away. Why do you think this is? Maybe it's because you assign the bugs to maintainers rather than the arch teams and make lots of noise about it, regardless of whether arch keywording still has to be done... *All* the recent forced downgrade and dep tree breakages for at least one arch have come about as a result of your highly misleading bugs. Granted, it's ultimately the responsibility of the maintainers to check their work, but you aren't exactly helping them with the way you're filing bugs and screaming... -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | - I'm *not* demanding anything from *arch teams*, the bugs are for | *maintainers* of those packages. I've already told you couple of | times, why are you making these misleading statements yet again? And yet, somehow developers are interpreting your bugs as requests to remove packages straight away. Why do you think this is? Maybe it's because you assign the bugs to maintainers rather than the arch teams and make lots of noise about it, regardless of whether arch keywording still has to be done... Why should I assign bugs to arch teams??? Arch teams are not supposed to punt stuff from the tree, it's maintainer's job. *All* the recent forced downgrade and dep tree breakages for at least one arch have come about as a result of your highly misleading bugs. Granted, it's ultimately the responsibility of the maintainers to check their work, but you aren't exactly helping them with the way you're filing bugs and screaming... Screaming? WTF really. What's misleading about listing vulnerable versions and asking for their removal? - check the keywords and dependencies - if nothing is wrong, punt those - otherwise CC the affected arch(es) and ask for keywording/stabilizing a newer version, punt then. Really a rocket science, huh? Stop blaming me for maintainers' screwups, TIA. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 18:49:21 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Why should I assign bugs to arch teams??? Arch teams are not supposed | to punt stuff from the tree, it's maintainer's job. Because the arch teams have to do work before the maintainers can do anything. | *All* the recent forced downgrade and dep tree breakages for at | least one arch have come about as a result of your highly | misleading bugs. Granted, it's ultimately the responsibility of the | maintainers to check their work, but you aren't exactly helping | them with the way you're filing bugs and screaming... | | Screaming? WTF really. What's misleading about listing vulnerable | versions and asking for their removal? They can't be removed yet. Stop filing bugs telling people to do so. | Really a rocket science, huh? Stop blaming me for maintainers' | screwups, TIA. Believe it or not, Jakub, some maintainers still trust you. They expect your bugs to be accurate. You and I know that this is highly silly, but enough people act upon what you tell them to do that stuff gets broken on a regular basis. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, Feb 11, 2007 at 05:40:27PM +, Ciaran McCreesh wrote: On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | - I'm *not* demanding anything from *arch teams*, the bugs are for | *maintainers* of those packages. I've already told you couple of | times, why are you making these misleading statements yet again? And yet, somehow developers are interpreting your bugs as requests to remove packages straight away. Why do you think this is? Maybe it's because you assign the bugs to maintainers rather than the arch teams and make lots of noise about it, regardless of whether arch keywording still has to be done... In case someone thinks this is just ciaranm inventing stuff, this has happened not too far ago. Some mozilla package got p.masked while some ebuilds still depended on it. It is definitely _not_ Jakub to blame (imho) but I'm pretty sure said deveveloper *thought* he had checked rdeps before. Result: some people (users here) got screwed because of misunderstanding. - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpoTSmuR6fyG.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): | Screaming? WTF really. What's misleading about listing vulnerable | versions and asking for their removal? They can't be removed yet. Stop filing bugs telling people to do so. Eh? Why should I stop filing bugs about stale vulnerable cruft? Should it stay in the tree forever (unless some $we_all_know_which_arch dev wakes up by miracle and moves)? Believe it or not, Jakub, some maintainers still trust you. They expect your bugs to be accurate. You and I know that this is highly silly, but enough people act upon what you tell them to do that stuff gets broken on a regular basis. Oh, there's nothing like attacking someone for someone else's fault. Won't waste my time on your trollish rants any more. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 19:50:02 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | | Screaming? WTF really. What's misleading about listing vulnerable | | versions and asking for their removal? | | They can't be removed yet. Stop filing bugs telling people to do so. | | Eh? Why should I stop filing bugs about stale vulnerable cruft? Should | it stay in the tree forever (unless some $we_all_know_which_arch dev | wakes up by miracle and moves)? You should focus upon the arch teams, not the maintainers who can't do anything until the arch teams catch up anyway. And are you aware that the mips team spends most of its time trying to catch up with people breaking the tree? If they didn't have to do that, they'd be able to get to the bugs about which you care faster. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Alexander Færøy napsal(a): Hi, On Sun, Feb 11, 2007 at 07:50:02PM +0100, Jakub Moc wrote: Eh? Why should I stop filing bugs about stale vulnerable cruft? Should it stay in the tree forever (unless some $we_all_know_which_arch dev wakes up by miracle and moves)? If you give away enough usable information, then sure. Though! We have seen that, for example in bug #164182[1], that you filled ended up in a removal of the latest stable version of imagemagick on MIPS. Pardon me, but this is *really* too much. snip Please, remove the above once 6.3.0.5 has been stabilized on mips. Thanks. :) /snip So, what are you blaming me for here? Grrr. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 21:33:59 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | So, what are you blaming me for here? Grrr. Misassigning or premature filing, as you prefer. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Jakub Moc [EMAIL PROTECTED] wrote: Ciaran McCreesh napsal(a): | Screaming? WTF really. What's misleading about listing vulnerable | versions and asking for their removal? They can't be removed yet. Stop filing bugs telling people to do so. Eh? Why should I stop filing bugs about stale vulnerable cruft? Should it stay in the tree forever (unless some $we_all_know_which_arch dev wakes up by miracle and moves)? How about cc'ing arches, which are affected by this? You still get your point across and maybe arches move it up their priority list if they see a removal b/c of centuries old vulnerabilities. I'm happy with you reporting vulnerable ebuilds and request action on them. However, i agree with mips that breaking their deptree is bad. I know they're working really hard (keep in mind the machines they got) on getting things done. I still don't see the point of removing stable keywords from those ebuilds, though. I'd like to keep the p.mask for this, maybe with mips and other known to lag behind arches unmasking the ebuilds in question. (That would at least say we're aware that these versions are vulnerable but can't upgrade yet) -- Regards, Matti Bickel Homepage: http://www.rateu.de Encrypted/Signed Email preferred pgpVrHl38VSAl.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 19:50:02 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Won't waste my time on your trollish rants any more. Hehe, whenever you write this, there's always several more posts from you down the same thread. It's kind of amusing. -- Andrej Ticho Kacian ticho at gentoo dot org Gentoo Linux Developer - net-mail, antivirus, sound, x86 signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): On Sun, 11 Feb 2007 21:33:59 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | So, what are you blaming me for here? Grrr. Misassigning or premature filing, as you prefer. Oh sure... Next time, blame me for Sept 11, keep amusing us by your bullshit. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
Matti Bickel napsal(a): How about cc'ing arches, which are affected by this? You still get your point across and maybe arches move it up their priority list if they see a removal b/c of centuries old vulnerabilities. I did CC mips, and did write that it needs version x.y.z stabilized first. Sorry, enough babysitting here, either devs can read or they shouldn't have commit access. Period. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 22:23:44 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Oh sure... Next time, blame me for Sept 11, keep amusing us by your bullshit. If you like, I can say that you killed Jesus and were single-handedly responsible for the extinction of the dinosaurs. Would that make you happy? -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 21:52:55 +0100 Matti Bickel [EMAIL PROTECTED] wrote: | How about cc'ing arches, which are affected by this? You still get | your point across and maybe arches move it up their priority list if | they see a removal b/c of centuries old vulnerabilities. How about assigning the bug to the people can do the work, rather than to people who can't change a thing until people on the Cc: list are done? For someone who moans about bug spam, Jakub sure is causing a lot of it for other people... -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 2007-11-02 at 22:46 +, Stephen Bennett wrote: On Sun, 11 Feb 2007 22:23:44 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Oh sure... Next time, blame me for Sept 11, keep amusing us by your bullshit. If you like, I can say that you killed Jesus and were single-handedly responsible for the extinction of the dinosaurs. Would that make you happy? Are you implying that he is the One True God ? -- Olivier Crête [EMAIL PROTECTED] Gentoo Developer signature.asc Description: This is a digitally signed message part
