Re: including EOL and vulnerable software in Fedora

On 11 October 2016 at 02:18, Kevin Kofler wrote: > Charalampos Stratakis wrote: >> tox is THE main reason for multiple interpreters in Fedora. >> >> So no the comments are not contradictory but it seems there is a lack of >> (technical) understanding of the actual

Re: including EOL and vulnerable software in Fedora

Dne 11.10.2016 v 12:57 Petr Viktorin napsal(a): > > The alternative to packaging those Pythons in Fedora is putting them > in some COPR. I believe this would send a bad message. If we want to > make Fedora friendly for Python developers, we should make > cross-version testing officially

Re: including EOL and vulnerable software in Fedora

On Tue, Oct 11, 2016 at 09:50:13AM +0200, Vít Ondruch wrote: > > > Dne 11.10.2016 v 01:59 Zbigniew Jędrzejewski-Szmek napsal(a): > > On Mon, Oct 10, 2016 at 10:29:16AM +0200, Vít Ondruch wrote: > >> > >> Dne 9.10.2016 v 05:42 Nick Coghlan napsal(a): > >>> On 8 October 2016 at 23:13, Kevin Kofler

Re: including EOL and vulnerable software in Fedora

On 10/10/2016 06:18 PM, Kevin Kofler wrote: Charalampos Stratakis wrote: tox is THE main reason for multiple interpreters in Fedora. So no the comments are not contradictory but it seems there is a lack of (technical) understanding of the actual situation here, but I may be wrong here, so

Re: including EOL and vulnerable software in Fedora

I'd like to apologize for the wording "No security fixes will be applied". It was meant as a warning to users who might install the package without knowing what it is for, not as a declaration that we won't maintain the package properly. The "python26" package is meant to provide just that --

Re: including EOL and vulnerable software in Fedora

Dne 11.10.2016 v 01:59 Zbigniew Jędrzejewski-Szmek napsal(a): > On Mon, Oct 10, 2016 at 10:29:16AM +0200, Vít Ondruch wrote: >> >> Dne 9.10.2016 v 05:42 Nick Coghlan napsal(a): >>> On 8 October 2016 at 23:13, Kevin Kofler wrote: These python[23][1-9] packages are

Re: including EOL and vulnerable software in Fedora

On Mon, Oct 10, 2016 at 10:29:16AM +0200, Vít Ondruch wrote: > > > Dne 9.10.2016 v 05:42 Nick Coghlan napsal(a): > > On 8 October 2016 at 23:13, Kevin Kofler wrote: > >> These python[23][1-9] packages are entirely unnecessary and should go away > >> ASAP. > > They're not

Re: including EOL and vulnerable software in Fedora

Charalampos Stratakis wrote: > Nevertheless, at the link that I posted before, you can see for yourself > the exact use case, so that should make things clear enough. Contradictory > or not (as I said maybe the original descriptions possibly need to be > rephrased), arguing about that does not

Re: including EOL and vulnerable software in Fedora

+1 There is no need to keep broken deprecated stuff in fedora repositories. If somebody really wants to use this, use a COPR. Or use the distro with conservative risky update policy you are developing against (CentOS, RHEL, Debian, Ubuntu, …). ___

Re: including EOL and vulnerable software in Fedora

- Original Message - From: "Kevin Kofler" <kevin.kof...@chello.at> To: devel@lists.fedoraproject.org Sent: Monday, October 10, 2016 6:18:19 PM Subject: Re: including EOL and vulnerable software in Fedora > If no package is allowed to require the old Pythons (an

Re: including EOL and vulnerable software in Fedora

Charalampos Stratakis wrote: > tox is THE main reason for multiple interpreters in Fedora. > > So no the comments are not contradictory but it seems there is a lack of > (technical) understanding of the actual situation here, but I may be wrong > here, so please correct me if you think so. > >

Re: including EOL and vulnerable software in Fedora

Charalampos Stratakis wrote: > If people's issues is just the CVE's, and then everything will be fine, we > can go and fix all the CVE's discovered so far. That would be a good start. Kevin Kofler ___ devel mailing list --

Re: including EOL and vulnerable software in Fedora

- Original Message - From: "Kevin Kofler" <kevin.kof...@chello.at> To: devel@lists.fedoraproject.org Sent: Monday, October 10, 2016 4:14:30 PM Subject: Re: including EOL and vulnerable software in Fedora > Your explanation does not solve the inherent contradiction betw

Re: including EOL and vulnerable software in Fedora

Petr Viktorin wrote: > Indeed, there's a disconnect here. The old Pythons are intended for > *upstream* development/testing. Your explanation does not solve the inherent contradiction between: >> churchyard (in the FESCo tracker): >> | These packages are not intended to be used as dependencies

Re: including EOL and vulnerable software in Fedora

On 10/09/2016 05:39 PM, Kevin Kofler wrote: Nick Coghlan wrote: They're not unnecessary for Python developers, as if you want to make sure you're not accidentally using any features from later versions of Python, the only way to reliably check that is to actually test your code on those older

Re: including EOL and vulnerable software in Fedora

On Mon, Oct 10, 2016 at 11:32:43AM +0200, Dominik 'Rathann' Mierzejewski wrote: > On Monday, 10 October 2016 at 11:07, Florian Weimer wrote: > > On 10/07/2016 06:43 PM, Dominik 'Rathann' Mierzejewski wrote: > > > > > I was made aware that EOL software with known security bugs that will > > > not

Re: including EOL and vulnerable software in Fedora

On Monday, 10 October 2016 at 11:07, Florian Weimer wrote: > On 10/07/2016 06:43 PM, Dominik 'Rathann' Mierzejewski wrote: > > > I was made aware that EOL software with known security bugs that will > > not be fixed upstream (due to EOL status) was reviewed and accepted into > > Fedora recently.

Re: including EOL and vulnerable software in Fedora

- Original Message - From: "Kevin Kofler" <kevin.kof...@chello.at> To: devel@lists.fedoraproject.org Sent: Saturday, October 8, 2016 3:13:10 PM Subject: Re: including EOL and vulnerable software in Fedora > * should not be necessary to run software, software for Python

Re: including EOL and vulnerable software in Fedora

On 10/07/2016 06:43 PM, Dominik 'Rathann' Mierzejewski wrote: I was made aware that EOL software with known security bugs that will not be fixed upstream (due to EOL status) was reviewed and accepted into Fedora recently. Fedora relies on EOLed components pretty much across the system

Re: including EOL and vulnerable software in Fedora

This seems highly unlikely Charalampos Stratakis Associate Software Engineer Python Maintenance Team, Red Hat - Original Message - From: "Kevin Kofler" <kevin.kof...@chello.at> To: devel@lists.fedoraproject.org Sent: Sunday, October 9, 2016 5:39:00 PM Subject: R

Re: including EOL and vulnerable software in Fedora

On Mon, Oct 10, 2016 at 10:29 AM, Vít Ondruch wrote: > > > Dne 9.10.2016 v 05:42 Nick Coghlan napsal(a): >> On 8 October 2016 at 23:13, Kevin Kofler wrote: >>> These python[23][1-9] packages are entirely unnecessary and should go away >>> ASAP. >>

Re: including EOL and vulnerable software in Fedora

Dne 9.10.2016 v 05:42 Nick Coghlan napsal(a): > On 8 October 2016 at 23:13, Kevin Kofler wrote: >> These python[23][1-9] packages are entirely unnecessary and should go away >> ASAP. > They're not unnecessary for Python developers, as if you want to make > sure you're

Re: including EOL and vulnerable software in Fedora

Nick Coghlan wrote: > They're not unnecessary for Python developers, as if you want to make > sure you're not accidentally using any features from later versions of > Python, the only way to reliably check that is to actually test your > code on those older versions. Tools like "tox" make that

Re: including EOL and vulnerable software in Fedora

On Sat, Oct 8, 2016 at 11:42 PM, Nick Coghlan wrote: > On 8 October 2016 at 23:13, Kevin Kofler wrote: >> These python[23][1-9] packages are entirely unnecessary and should go away >> ASAP. > > They're not unnecessary for Python developers, as if you

Re: including EOL and vulnerable software in Fedora

On 8 October 2016 at 23:13, Kevin Kofler wrote: > These python[23][1-9] packages are entirely unnecessary and should go away > ASAP. They're not unnecessary for Python developers, as if you want to make sure you're not accidentally using any features from later versions

Re: including EOL and vulnerable software in Fedora

Dominik 'Rathann' Mierzejewski wrote: > My proposal is: > 1. Prevent EOL software with known security vulnerabilities from > entering Fedora in the first place, i.e. make it a review bullet point > (if the package is EOL it MUST NOT have any known security > vulnerabilties). If existing packages

Re: including EOL and vulnerable software in Fedora

On Friday, 07 October 2016 at 19:35, Zbigniew Jędrzejewski-Szmek wrote: > On Fri, Oct 07, 2016 at 06:43:10PM +0200, Dominik 'Rathann' Mierzejewski > wrote: > > Dear All, > > I was made aware that EOL software with known security bugs that will > > not be fixed upstream (due to EOL status) was

Re: including EOL and vulnerable software in Fedora

On Fri, Oct 07, 2016 at 06:43:10PM +0200, Dominik 'Rathann' Mierzejewski wrote: > Dear All, > I was made aware that EOL software with known security bugs that will > not be fixed upstream (due to EOL status) was reviewed and accepted into > Fedora recently. This came on the back of the FPC ticket

Re: including EOL and vulnerable software in Fedora

On Fri, Oct 07, 2016 at 06:43:10PM +0200, Dominik 'Rathann' Mierzejewski wrote: > Dear All, > I was made aware that EOL software with known security bugs that will > not be fixed upstream (due to EOL status) was reviewed and accepted into > Fedora recently. This came on the back of the FPC ticket