Re: Calligra stable releases not in Debian stable Jessi
On 8 October 2016 at 15:20, Maximiliano Curia wrote: > ¡Hola Jaroslaw! > > El 2016-10-01 a las 00:43 +0200, Jaroslaw Staniek escribió: > >> On 1 October 2016 at 00:18, Nicolás Alvarez >> wrote: >> >>> 2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek : >>> >> Honestly, we know via telemetrics that more than needed users run >> outdated software. >> > > What kind of telemetrics are these? > Overview and stats here: https://blogs.kde.org/2013/12/09/usage-stats -- regards, Jaroslaw Staniek KDE: : A world-wide network of software engineers, artists, writers, translators : and facilitators committed to Free Software development - http://kde.org Calligra Suite: : A graphic art and office suite - http://calligra.org Kexi: : A visual database apps builder - http://calligra.org/kexi Qt Certified Specialist: : http://www.linkedin.com/in/jstaniek
Re: Calligra stable releases not in Debian stable Jessi
On 8 October 2016 at 15:13, Maximiliano Curia wrote: > ¡Hola Jaroslaw! > > El 2016-09-30 a las 11:31 +0200, Jaroslaw Staniek escribió: > >> I am maintainer of Kexi, one of Calligra apps. I've just noticed that in >> Debian stable Jessi the recent Calligra is 2.8.5 which is 13 releases old. >> There are no updates to 2.8.7, and zero updates to 2.9.*. >> > > 2.8.5 is a July 2014 version. Due to security and stability issues it may >> be even better *not* to have this version released at all than receiving >> reports and users thinking that's the most recent version (this is my own >> opinion). >> > > When users run, say, a Raspberry, they see that old and unsupported (by >> us) version. So here Jessi distributes this unstable software despite many >> updates being available. I don't see the same issue with MySQL for example, >> which was updated just this month. Maybe a man power issue? >> > > I have questions then: >> - what happens? >> > > Debian has a release cycle of around 2 years. It uses three separate > tracks: unstable, testing and stable. > > For the first ~20 months of this cycle the package maintainers make > regular updates to unstable and testing, adding new software to the archive > in order to prepare for the next stable release. Packages first go through > unstable and after a while they enter into testing which is what will be > eventually considered for the stable release. > > The last part of the cycle is a freeze period where no new versions are > introduced and all the efforts go to finish the integration of the system, > closing as many bugs as possible, backporting upstream fixes, etc. > > At the end of this cycle the release is tagged as stable and stops > receiving updates, except for critical bugs, and security related issues. > This updates are evaluated by the stable release team, and/or the security > team, once accepted they are available in the proposed-updates or the > security archives till the next stable point release. > > Almost no software gets new versions in the stable release, very few > exceptions are made for critical security bugs in software that's > infeasible to backport the corresponding fixes (an exception was made for > firefox some years ago, and also for mariadb not so long ago), this is > actually a sign that there is something wrong with the software. > > > Jessie is currently the stable Debian version, the current testing version > is called stretch, and is about to enter in the freeze stage. > > - what can be done to fix the situation? >> > > The version of calligra that you point out is in the stable release and > won't get updated to a new version. The package maintainers could decide to > backport some critical fix. > > Could you point out the issues that you consider critical in 2.8.5? > > Thanks for the explanation Maximilian. If I can summarize (maybe not just for you as you have in-depth understanding but more like for users and people from the outside of our projects). If I understand correctly, the 'stability' term used by Debian is a distribution-oriented one. Do you agree that releasing stability fixes for a software, not just serious security fixes is a part of maintaining software stability? Even if we're staying with Kexi as an example, because of better familiarity, let's look at its basic 24 months+ -old changelog of version (not present in Debian stable): https://www.calligra.org/news/calligra-2-8-6-released/ It was *really* surprising for me that Debian Stable has no 2.8.7 in the offer. Knowing the idea of freezing already, I have not asked for 2.9.x but we have semantic versioning and release cycles for a purpose to serve better and predictably. It's clear that Kexi, even if updated to 2.8.6 is more stable than 2.8.5, right? Obviously there are fixes of "I can't use the software anymore" category. Are these fixes critical? Yes, if actual *using* the software for a practical purpose is the goal, not ability to have any version installable. If you're asking about security threats removed, there are such beasts, please refer to my examples for the 2.8.7 release given in this thread. Regarding "I can't use the software anymore" kind of bugs. As MS discovered long ago with the beloved Office 97, users run something like 20% of the functionality but everyone uses slightly different 20%. So also Kexi and Calligra offers a huge feature set, as any integrated software package; possible applications/combinations are hard to imagine or predict. No doubt there are users for whom versions 2.8.[0-5] contain critical issues in features they depend on so the software in that version as a no-go for them. What's user's perceived definition of stability is an open question. I have my opinion here as I am usually trying to take the user's side. I'm not in position to influence how distributors implement their mission. So feel free to just use this long reply as justification of why these stories can convince developers to prefer more direc
Re: Calligra stable releases not in Debian stable Jessi
¡Hola Jaroslaw! El 2016-10-01 a las 00:43 +0200, Jaroslaw Staniek escribió: On 1 October 2016 at 00:18, Nicolás Alvarez wrote: 2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek : Honestly, we know via telemetrics that more than needed users run outdated software. What kind of telemetrics are these? Happy hacking, -- "If I ask another professor what he teaches in the introductory programming course, whether he answers proudly "Pascal" or diffidently "FORTRAN," I know that he is teaching a grammar, a set of semantic rules, and some finished algorithms, leaving the students to discover, on their own, some process of design." -- Robert W. Floyd Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Re: Calligra stable releases not in Debian stable Jessi
¡Hola Jaroslaw! El 2016-09-30 a las 11:31 +0200, Jaroslaw Staniek escribió: I am maintainer of Kexi, one of Calligra apps. I've just noticed that in Debian stable Jessi the recent Calligra is 2.8.5 which is 13 releases old. There are no updates to 2.8.7, and zero updates to 2.9.*. 2.8.5 is a July 2014 version. Due to security and stability issues it may be even better *not* to have this version released at all than receiving reports and users thinking that's the most recent version (this is my own opinion). When users run, say, a Raspberry, they see that old and unsupported (by us) version. So here Jessi distributes this unstable software despite many updates being available. I don't see the same issue with MySQL for example, which was updated just this month. Maybe a man power issue? I have questions then: - what happens? Debian has a release cycle of around 2 years. It uses three separate tracks: unstable, testing and stable. For the first ~20 months of this cycle the package maintainers make regular updates to unstable and testing, adding new software to the archive in order to prepare for the next stable release. Packages first go through unstable and after a while they enter into testing which is what will be eventually considered for the stable release. The last part of the cycle is a freeze period where no new versions are introduced and all the efforts go to finish the integration of the system, closing as many bugs as possible, backporting upstream fixes, etc. At the end of this cycle the release is tagged as stable and stops receiving updates, except for critical bugs, and security related issues. This updates are evaluated by the stable release team, and/or the security team, once accepted they are available in the proposed-updates or the security archives till the next stable point release. Almost no software gets new versions in the stable release, very few exceptions are made for critical security bugs in software that's infeasible to backport the corresponding fixes (an exception was made for firefox some years ago, and also for mariadb not so long ago), this is actually a sign that there is something wrong with the software. Jessie is currently the stable Debian version, the current testing version is called stretch, and is about to enter in the freeze stage. - what can be done to fix the situation? The version of calligra that you point out is in the stable release and won't get updated to a new version. The package maintainers could decide to backport some critical fix. Could you point out the issues that you consider critical in 2.8.5? - how to coordinate better? There are two things that could be better improving coordination: - Notifying the package maintainers of critical issues that need to be fixed in the stable release. This could be done either through a bug or sending a private mail to the uploaders (which sometimes is needed for certain security related issues) - Coordinating on the version to release for the next stable release. The current version for stretch is: 2.9.11 This could be changed if need so. Regarding manpower, calligra is a big and scary (from the maintainers point of view) piece of software. In the past year, two different contributors tried working on it and gave up after a while, calligra was not in testing for a few months until finally someone else had the time to pick it up and uploaded it. Given this situation, following upstream commits and announcements in order to evaluate whether they fix critical issues is currently infeasible. Collaborating with upstream would make this better. Happy hacking, -- "Seek simplicity, and distrust it." -- Whitehead's Rule Saludos /\/\ /\ >< `/ signature.asc Description: PGP signature
Re: Calligra stable releases not in Debian stable Jessi
On 1 October 2016 at 00:18, Nicolás Alvarez wrote: > 2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek : >> >> Dear Debian contributors, >> I am maintainer of Kexi, one of Calligra apps. >> I've just noticed that in Debian stable Jessi the recent Calligra is 2.8.5 >> which is 13 releases old. There are no updates to 2.8.7, and zero updates to >> 2.9.*. >> >> 2.8.5 is a July 2014 version. Due to security and stability issues it may be >> even better *not* to have this version released at all than receiving >> reports and users thinking that's the most recent version (this is my own >> opinion). >> >> When users run, say, a Raspberry, they see that old and unsupported (by us) >> version. So here Jessi distributes this unstable software despite many >> updates being available. I don't see the same issue with MySQL for example, >> which was updated just this month. Maybe a man power issue? >> >> I have questions then: >> - what happens? >> - what can be done to fix the situation? >> - how to coordinate better? >> > > Jessie is frozen, I doubt Kexi 2.9 will ever be in 'jessie'. I don't > see how MySQL is different, the latest version from upstream is > 5.7.15, Jessie has 5.5.52, it was upgraded from 5.5.50 because of a > specific security fix. > > See this for the criteria to get an update in stable: > https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable > > Can you mention specific security bugs that 2.8.5 has? That could > justify bringing 2.8.7 in (or backporting the security fixes). > > And maybe 2.9 could be in the 'jessie-backports' repository. But I > wouldn't expect it in 'jessie'. > > > Of course, this is in addition to the possible lack of manpower to do > such packaging :) Thanks for the useful info, Nicolás. Let's see 1st commit from 2.8.7 which removes possibility of preparing attack that can crash your db. Please see below. It's enough to cause Kexi to ask a specific question and it enters infinite loop and exits with exception, thus e.g. loosing unsaved designs. Really we did not set formal distinction between type of instabilities knowing that *normally* distributors take all fixes and deploy them to the users; because this is a connected/network software for multiuser environment consequences may be more serious than, say, in a locally running text editor. Honestly, we know via telemetrics that more than needed users run outdated software. And request free support for it. commit db59286ef26be67eccf6f0fb31e5abdcf9911d02 Author: Jaroslaw Staniek Date: Tue Nov 25 23:06:03 2014 +0100 Fix infinite recursion in msghandler.cpp The Calligra 2.7.90 build log using msvc2010 gives this warning concerning msghandler.cpp: 'KexiDB::MessageHandler::askQuestion' : recursive on all control paths, function will cause runtime stack overflow Thanks, Stephen Leibowitz CCMAIL:librestep...@gmail.com REVIEW:121180 FIXED-IN:2.8.7 Another, specific query can be passed by one user to another and cause a crash; in theory also executing arbitrary code on some architectures: commit eaefd12562da5b422ae175351423fa15fd1a2cb4 Author: Jaroslaw Staniek Date: Wed Jun 4 13:12:22 2014 +0200 Fix crash when accessing a query with duplicated table names Example query that crashed: SELECT t.foo FROM t, t. Now error message is displayed so user can fix the statement. BUG:315852 FIXED-IN:2.8.4 If the database serves more than one user it can also mean denial of service attacks: it's enough to set query to be always executed initially e.g. for a main form. -- regards, Jaroslaw Staniek KDE: : A world-wide network of software engineers, artists, writers, translators : and facilitators committed to Free Software development - http://kde.org Calligra Suite: : A graphic art and office suite - http://calligra.org Kexi: : A visual database apps builder - http://calligra.org/kexi Qt Certified Specialist: : http://www.linkedin.com/in/jstaniek
Re: Calligra stable releases not in Debian stable Jessi
2016-09-30 6:31 GMT-03:00 Jaroslaw Staniek : > > Dear Debian contributors, > I am maintainer of Kexi, one of Calligra apps. > I've just noticed that in Debian stable Jessi the recent Calligra is 2.8.5 > which is 13 releases old. There are no updates to 2.8.7, and zero updates to > 2.9.*. > > 2.8.5 is a July 2014 version. Due to security and stability issues it may be > even better *not* to have this version released at all than receiving > reports and users thinking that's the most recent version (this is my own > opinion). > > When users run, say, a Raspberry, they see that old and unsupported (by us) > version. So here Jessi distributes this unstable software despite many > updates being available. I don't see the same issue with MySQL for example, > which was updated just this month. Maybe a man power issue? > > I have questions then: > - what happens? > - what can be done to fix the situation? > - how to coordinate better? > Jessie is frozen, I doubt Kexi 2.9 will ever be in 'jessie'. I don't see how MySQL is different, the latest version from upstream is 5.7.15, Jessie has 5.5.52, it was upgraded from 5.5.50 because of a specific security fix. See this for the criteria to get an update in stable: https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable Can you mention specific security bugs that 2.8.5 has? That could justify bringing 2.8.7 in (or backporting the security fixes). And maybe 2.9 could be in the 'jessie-backports' repository. But I wouldn't expect it in 'jessie'. Of course, this is in addition to the possible lack of manpower to do such packaging :) -- Nicolás
