Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 2006-10-31 at 19:47 +0100, Fernando J. Pereda wrote: You probably want a shell account on a mips/alpha/... machine so you can start helping, right? Not attempting to join this ruckus - but I'll meekly raise my hand and say that'd be awesome. I have an account on a mips box, but its connection to the internet has been unstable in recent months (which I was warned about ahead of time - that isn't a gripe). As primarily an ebuild maintainer, I have no qualms about doing the legwork in the scope that an arch is willing to accept, I just don't have the money and space to personally house more than a handful of machines at home. -- -o()o-- Michael Cummings |#gentoo-dev, #gentoo-perl Gentoo Perl Dev|on irc.freenode.net Gentoo/SPARC Gentoo/AMD64 GPG: 0543 6FA3 5F82 3A76 3BF7 8323 AB5C ED4E 9E7F 4E2E -o()o-- signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Only you can prevent broken portage trees
Michael Cummings wrote: Not attempting to join this ruckus - but I'll meekly raise my hand and say that'd be awesome. I have an account on a mips box, but its connection to the internet has been unstable in recent months (which I was warned about ahead of time - that isn't a gripe). Just FYI, there is another box, faster, and running 24x7 which should be used instead of O2K now. Ping me on IRC for more info. (Oh, and sign up for the announcements list for those boxes ;-) As primarily an ebuild maintainer, I have no qualms about doing the legwork in the scope that an arch is willing to accept, I just don't have the money and space to personally house more than a handful of machines at home. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tuesday 31 October 2006 02:57, Paweł Madej wrote: I'm not a dev but I suppose i got resolution for that problem. Lets make another subproject (don't know how to name it properly) in bugzilla you mean like the Gentoo Security bugzilla product ? -mike pgp1nEpXBCUUN.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Paweł Madej wrote: I'm not a dev but I suppose i got resolution for that problem. Lets make another subproject (don't know how to name it properly) in bugzilla in which there will be only bugs affected by security flaw. That bugs will have highest priority from every other ones. And devs would have to look at them firstly What's wrong with simply setting high priority or severity on a bug like you can currently do? -- David Shakaryan GnuPG Public Key: 0x4B8FE14B signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Dnia wtorek, 31 października 2006 09:02, Mike Frysinger napisał: On Tuesday 31 October 2006 02:57, Paweł Madej wrote: I'm not a dev but I suppose i got resolution for that problem. Lets make another subproject (don't know how to name it properly) in bugzilla you mean like the Gentoo Security bugzilla product ? -mike Yes that could be that - As I checked there are lack of unneeded noise bugs. So devs could concentrate on important ones. -- Paweł Madej (Nysander) pgpLd243WkYFZ.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Dnia wtorek, 31 października 2006 09:06, David Shakaryan napisał: Paweł Madej wrote: I'm not a dev but I suppose i got resolution for that problem. Lets make another subproject (don't know how to name it properly) in bugzilla in which there will be only bugs affected by security flaw. That bugs will have highest priority from every other ones. And devs would have to look at them firstly What's wrong with simply setting high priority or severity on a bug like you can currently do? From user point of view while I report new bug I can set piority and severity to what I want, everybody could. Then bug-wranglers have to point that bug to suitable herd/dev so he is informed about a bug. But such bugs as I was said before are hundreds. Bugs in Gentoo Security as Mike proposed are lot less, so devs could concentrate on them and next go to common bugs category. I don't know if it is possible to make it so, but I hope I helped a little. Greets Paweł Madej (Nysander) pgplGyHcV6AGT.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tuesday 31 October 2006 03:38, Paweł Madej wrote: Dnia wtorek, 31 października 2006 09:02, Mike Frysinger napisał: On Tuesday 31 October 2006 02:57, Paweł Madej wrote: I'm not a dev but I suppose i got resolution for that problem. Lets make another subproject (don't know how to name it properly) in bugzilla you mean like the Gentoo Security bugzilla product ? Yes that could be that - As I checked there are lack of unneeded noise bugs. So devs could concentrate on important ones. sorry, i dont get it we already have the products available for people to sort arch bugs between stabilize random pkg for fun and stabilize random pkg for security ... in fact, the bug e-mails that go out even have headers in them so people can filter into different folders -mike pgpsxi43xmLSK.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Dnia wtorek, 31 października 2006 09:52, Mike Frysinger napisał:
On Tuesday 31 October 2006 03:38, Paweł Madej wrote:
Dnia wtorek, 31 października 2006 09:02, Mike Frysinger napisał:
On Tuesday 31 October 2006 02:57, Paweł Madej wrote:
I'm not a dev but I suppose i got resolution for that problem. Lets
make another subproject (don't know how to name it properly) in
bugzilla
you mean like the Gentoo Security bugzilla product ?
Yes that could be that - As I checked there are lack of unneeded noise
bugs. So devs could concentrate on important ones.
sorry, i dont get it
we already have the products available for people to sort arch bugs
between stabilize random pkg for fun and stabilize random pkg for
security ... in fact, the bug e-mails that go out even have headers in
them so people can filter into different folders
-mike
If there are no such information in emails to which bugzilla product bugreport
is attached, maybe the solution is to write in bug summary [SECURITY] {SEC]
or whatever would point that this bug is important?
pgpXZxORbeqAu.pgp
Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tuesday 31 October 2006 04:08, Paweł Madej wrote: Dnia wtorek, 31 października 2006 09:52, Mike Frysinger napisał: we already have the products available for people to sort arch bugs between stabilize random pkg for fun and stabilize random pkg for security ... in fact, the bug e-mails that go out even have headers in them so people can filter into different folders If there are no such information in emails to which bugzilla product bugreport is attached, i just said *that exact information is already in the e-mail* X-Bugzilla-Product: Gentoo Security X-Bugzilla-Severity: enhancement X-Bugzilla-Keywords: X-Bugzilla-Reason: AssignedTo X-Bugzilla-Component: Vulnerabilities -mike pgpXTmMICM7at.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Dnia wtorek, 31 października 2006 10:17, Mike Frysinger napisał: On Tuesday 31 October 2006 04:08, Paweł Madej wrote: Dnia wtorek, 31 października 2006 09:52, Mike Frysinger napisał: we already have the products available for people to sort arch bugs between stabilize random pkg for fun and stabilize random pkg for security ... in fact, the bug e-mails that go out even have headers in them so people can filter into different folders If there are no such information in emails to which bugzilla product bugreport is attached, i just said *that exact information is already in the e-mail* X-Bugzilla-Product: Gentoo Security X-Bugzilla-Severity: enhancement X-Bugzilla-Keywords: X-Bugzilla-Reason: AssignedTo X-Bugzilla-Component: Vulnerabilities -mike I've misunderstood your email. If there are such info I don't have any more solution. The rest lies in Dev's mind and behaviour when they got such email. pgpdAYhHDeRFQ.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh wrote: On Mon, 30 Oct 2006 22:33:26 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | | What on earth are you talking about here? And why almost 6 months | | is not enough for someone to respond on a bug with a simple | | we'll only support newer versions and don't care about MySQL | | 4.0.x any more, go drop it? | | Priorities. The arch teams could be too busy dealing with other bugs | that matter more or too busy dealing with noise bugs. | | Sorry, taking 1 minute to respond on a bug after being poked for a | couple of months is not a matter of priorities, but mere politeness | and common sense. Seriously, you can't work productively with other | people if they can't be bothered to write one sentence for months. There are an awful lot of bugs requiring an awful lot of attention... That does bring up an interesting question though -- at what point do you just ignore the arch and move on so that development can continue? I suppose if you had a nasty security verbump you needed to release, you could keyword it yourself, but for everything else, what's the best way to handle those if you are perpetually ignored? Steve -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 16:36:13 +0100 Stuart Herbert [EMAIL PROTECTED] wrote: Would it be possible to have some arch team leaders join in this debate? Atm, it just seems to be bouncing back and forwards between package maintainers asking questions, and a Gentoo user filling the void left by the responses from the arch team folks. Having a system that actually works is usually reckoned to be more important than patching minor security holes on architectures that aren't security-supported anyway. On systems that are almost never used in production or in externally visible roles, security bugs are much akin to simple enhancements to a package that already works, and fixing packages that don't work takes precedence. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tuesday 31 October 2006 16:02, Stuart Herbert wrote: 3) ?? Profit -- Roy Marples [EMAIL PROTECTED] Gentoo Developer (baselayout, networking) -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tuesday 31 October 2006 14:46, Steve Dibb wrote: That does bring up an interesting question though -- at what point do you just ignore the arch and move on so that development can continue? I just ignore the arches these days. After all, they ignore me. dhcp clients where modified to be independant of baselayout and arches had stable bugs for these. baselayout-1.12 then went stable even though the required dhcp clients for the more obscure arches did not. As of right now, baselayout-1.12 is stable on arm, but udhcpc will not work on it unless they use unstable udhcpc. Another example - kbd-1.12-r8 has a patch to fix loading unimaps, which a user submitted patch for console font needs. I've just filed a stable request for it even though r7 has got an outstanding stable bug for almost 2 months. How long should I wait before I wang a fixed consoelfont script into baselayout that relies on this? With all the of the above considered, imagine the irony of me filing a stable bug for kbd-1.12-r8 and someone stabling it on sparc :P -- Roy Marples [EMAIL PROTECTED] Gentoo Developer (baselayout, networking) -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
Stuart Herbert wrote: On 10/31/06, Ciaran McCreesh [EMAIL PROTECTED] wrote: Uh, security bugs are not the highest priority. Would it be possible to have some arch team leaders join in this debate? Atm, it just seems to be bouncing back and forwards between package maintainers asking questions, and a Gentoo user filling the void left by the responses from the arch team folks. You do realize that Ciaran *was* a member of several arch teams, right? I would agree with pretty much everything he has said on this topic. Perhaps you should consider that the reason that not many arch team folks have chipped in is because we agree with him. Don't dismiss his responses as noise from some random Gentoo user who has no idea what they are talking about. You should know better then that Stuart. (Or, to put it another way, I'm not sure anyone's actually learning anything here, except for Ciaran's personal opinions on how he'd like things to be). Or, to put it this way, I'm not sure anyone is actually getting the point, simply because they would rather stick their heads in the sand instead of actually listening to something Ciaran has to say. -Steve -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On 10/31/06, Ciaran McCreesh [EMAIL PROTECTED] wrote: Uh, security bugs are not the highest priority. Would it be possible to have some arch team leaders join in this debate? Atm, it just seems to be bouncing back and forwards between package maintainers asking questions, and a Gentoo user filling the void left by the responses from the arch team folks. (Or, to put it another way, I'm not sure anyone's actually learning anything here, except for Ciaran's personal opinions on how he'd like things to be). Many thanks, Stu -- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 12:30:24 -0500 Alec Warner [EMAIL PROTECTED] wrote: | I'm just trying to make my life as an ebuild maintainer easier. This | means some individuals may file bugs against an old crusty version of | a package that I maintain because $arch hasn't keyworded a newer | version yet. Then I have to tell the user that they are using a | crusty old version and to use a newer one. Double bonus if they are | actually using said $arch and need to keyword the newer version | themselves. Well, if that happens, it increases the priority of keywording the new version. Because once users start to care, things are more important. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 17:02:46 +0100 Stuart Herbert [EMAIL PROTECTED] wrote: 1) Leave the older versions in the tree, even though they are insecure and possibly/probably no longer supported by package maintainers. This keeps minority arches happy at the expense of the larger group of package maintainers. How exactly does this affect package maintainers, apart from the cosmetic problems of having an old ebuild lying around? As far as I can see, it doesn't affect the maintenance burden, since if the arch still using the old version needs a fix present in the newer versions they can just keyword one of those, and if the fix isn't present it doesn't much matter which ebuild(s) get it applied. The original request not to remove an arch's latest stable ebuild seems reasonable enough to me -- we're not asking package maintainers to support or update things that they wouldn't otherwise, merely not to be so hasty about removing them from the tree since they might still be of use to someone. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
Stephen Bennett napsal(a): On Tue, 31 Oct 2006 18:18:26 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Sure I did... Could you tell me why should we accumulate broken and vulnerable junk in the tree for years? (Outdated ebuild A depends on junky outdated ebuild B which depends on crappy, unsupported ebuilds C, D and E which... ) To avoid breaking the dep tree for users. Quite simple really. Ah. That's apparently much more important than not breaking users by providing them w/ non-vulnerable, decently uptodate stuff that's not ridden by tons of bugs. Yup. :P -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 17:02:46 +0100 Stuart Herbert [EMAIL PROTECTED] wrote: | 2) Or, remove the older versions from the tree after a suitable | waiting period (say, 3 months for arguments sake). This will keep | package maintainers happy, and our users (less cruft in the tree to | rsync and metadata-cache), but causes real trouble for minority | arches. Users are generally not happy when they see big flashy !!! error messages when trying to update their systems... -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 31 Oct 2006, Stuart Herbert wrote: On 10/31/06, Ciaran McCreesh [EMAIL PROTECTED] wrote: Uh, security bugs are not the highest priority. Would it be possible to have some arch team leaders join in this debate? Atm, it just seems to be bouncing back and forwards between package maintainers asking questions, and a Gentoo user filling the void left by the responses from the arch team folks. Well, lets use an example. If SPARC had a breakage in the system profile and a security bug in say, phpmyadmin, the system profile breakage is going to take priority as it impacts every SPARC user's ability to use and/or install Gentoo on Linux/SPARC. However, phpmyadmin impacts a much smaller segment of the Gentoo Linux/SPARC user base, so its not as much of a problem. Obviously some of this is going to be relative. If the security issue was a remote unauthorized DoS, buffer overflow resulting in a root shell particularly in the system profile packages, then it would probably take priority over the latest request to stabilize or add testing keywords to random package maintainer's package. That being said, Gentoo Linux/SPARC normally does try to handle Security issues before others if the others aren't critical. Cheers, - -- Jason Wever Gentoo/Sparc Team Co-Lead -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFR3IBdKvgdVioq28RArMdAJ49AsBl3DjtA5n22atL7FpY0jYwVACeLeV7 PPBLoaGVvBRWQRh3Qnn1VLs= =BAvM -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On 10/31/06, Stephen Bennett [EMAIL PROTECTED] wrote: Having a system that actually works is usually reckoned to be more important than patching minor security holes on architectures that aren't security-supported anyway. On systems that are almost never used in production or in externally visible roles, security bugs are much akin to simple enhancements to a package that already works, and fixing packages that don't work takes precedence. Thanks for that. It's much appreciated. This leaves package maintainers in the situation that there are 'old'/'insecure'/insert preferred adjective here versions of packages that are hanging around only because arches have fallen behind. Package maintainers want to be able to remove these old versions, but currently cannot because of keywording-lag. At the moment, it looks like there are a few choices: 1) Leave the older versions in the tree, even though they are insecure and possibly/probably no longer supported by package maintainers. This keeps minority arches happy at the expense of the larger group of package maintainers. 2) Or, remove the older versions from the tree after a suitable waiting period (say, 3 months for arguments sake). This will keep package maintainers happy, and our users (less cruft in the tree to rsync and metadata-cache), but causes real trouble for minority arches. 3) ?? Best regards, Stu -- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner [EMAIL PROTECTED] wrote: | I picked a random e-mail to reply to. I don't maintain that many | packages (maybe 10 or so?). But if I have a bug (particularly a sec | bug as in this case) and you haven't stablized it after five months | then I'll probably just nuke the ebuild and drop your keywords Which is dumb. There's no harm to be had in just leaving the ebuild there. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Dnia wtorek, 31 października 2006 17:04, Stephen P. Becker napisał: [snip] Don't dismiss his responses as noise from some random Gentoo user who has no idea what they are talking about. You should know better then that Stuart. -Steve This Random Gentoo user as you wrote says no noise but tried to help. From your email I read that you're Dev'tha boss and common gentoo user has nothing to add, because he is not a dev'tha boss. This list is public and everyone could write to it if he has something important to add so don't dismiss users comments because of that he is not a dev. If you don't agree with my proposal ok, but I got a right to write and you cannot take it from me. No flame at all. Just wanna help. Greets Paweł Madej pgpu9rXTCMyvw.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh napsal(a): On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner [EMAIL PROTECTED] wrote: | I picked a random e-mail to reply to. I don't maintain that many | packages (maybe 10 or so?). But if I have a bug (particularly a sec | bug as in this case) and you haven't stablized it after five months | then I'll probably just nuke the ebuild and drop your keywords Which is dumb. There's no harm to be had in just leaving the ebuild there. Accumulating broken old vulnerable and unsupported junk in tree for the sole sake of arches that noone cares about enough to keyword something newer for months harms everyone who uses rsync, wastes disk space for users, wastes disk space on mirrors, makes CVS and portage slower, wastes maintainers time... No harm? Nonsense. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 17:16:31 +0100 Stuart Herbert [EMAIL PROTECTED] wrote: Arch team leaders set policy on this issues, not Ciaran. Which they did a long time ago, which he got to know at that time, and which haven't substantively changed since then. He's as well qualified as anyone to answer, especially since he's still more closely involved than many, I would dare say most, current developers in their everyday activities. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 2006-31-10 at 17:02 +0100, Stuart Herbert wrote: This leaves package maintainers in the situation that there are 'old'/'insecure'/insert preferred adjective here versions of packages that are hanging around only because arches have fallen behind. Package maintainers want to be able to remove these old versions, but currently cannot because of keywording-lag. [...] 3) ?? What about, package maintainers remove all of the other keywords from said broken version and add a nasty ewarning message to the pkg_postinst like this version has a known security problem, dont use it, bitch to your arch team if you're not happy... -- Olivier Crête [EMAIL PROTECTED] Gentoo Developer -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, Oct 31, 2006 at 06:18:26PM +0100, Jakub Moc wrote: Sure I did... Could you tell me why should we accumulate broken and vulnerable junk in the tree for years? (Outdated ebuild A depends on junky outdated ebuild B which depends on crappy, unsupported ebuilds C, D and E which... ) Thats not the maintainer's problem but the Arch Team's problem so they are the ones that decide what to do. Either keyword it in a reasonable time or you'll lose the keyword, damn simple... Can't do it in X months? Sorry, too bad for your arch, the package is gone and users will rant (or they won't, and then you don't need the keywords in the first place). No. Arch Teams manage their keywords the way _they_ want not the way YOU or others that don't work on arch teams want. It is actually *that* simple. - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpMx13985eWE.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 18:23:49 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner [EMAIL PROTECTED] | wrote: | | I picked a random e-mail to reply to. I don't maintain that many | | packages (maybe 10 or so?). But if I have a bug (particularly a | | sec bug as in this case) and you haven't stablized it after five | | months then I'll probably just nuke the ebuild and drop your | | keywords | | Which is dumb. There's no harm to be had in just leaving the ebuild | there. | | Accumulating broken old vulnerable and unsupported junk in tree There is no accumulation. It's already there. And if packages are that bad, perhaps you should ask yourself why they have a stable keyword at all. | for the sole sake of arches that noone cares about enough to keyword | something newer for months If you're taking that argument, one could just as easily claim that the packages should be removed entirely since the arch teams don't care enough to keyword them. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, Oct 31, 2006 at 05:05:21PM +, Stephen Bennett wrote: On Tue, 31 Oct 2006 17:57:06 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Of course it does... Lots of people can't remove outdated broken cruft because $ebuild still depends on something since $arch has been slacking for months. Lots of people are forced to maintain outdated junk in this way, it's not like it's just sitting there doing nothing. Did you even read my mail? We're not asking people to maintain old stuff, just to leave it there as is until a newer one can be tested and keyworded. No he didn't, and he probably won't. I've tried to explain this at least once in #gentoo-qa and he didn't seem to *want+ to understand it. Maybe we aren't being clear enough... - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpAzaT7s7Kvr.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Stephen Bennett napsal(a): On Tue, 31 Oct 2006 17:57:06 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Of course it does... Lots of people can't remove outdated broken cruft because $ebuild still depends on something since $arch has been slacking for months. Lots of people are forced to maintain outdated junk in this way, it's not like it's just sitting there doing nothing. Did you even read my mail? We're not asking people to maintain old stuff, just to leave it there as is until a newer one can be tested and keyworded. Sure I did... Could you tell me why should we accumulate broken and vulnerable junk in the tree for years? (Outdated ebuild A depends on junky outdated ebuild B which depends on crappy, unsupported ebuilds C, D and E which... ) Either keyword it in a reasonable time or you'll lose the keyword, damn simple... Can't do it in X months? Sorry, too bad for your arch, the package is gone and users will rant (or they won't, and then you don't need the keywords in the first place). -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 18:18:26 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Sure I did... Could you tell me why should we accumulate broken and vulnerable junk in the tree for years? (Outdated ebuild A depends on junky outdated ebuild B which depends on crappy, unsupported ebuilds C, D and E which... ) To avoid breaking the dep tree for users. Quite simple really. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
Steve Dibb wrote: Ciaran McCreesh wrote: On Mon, 30 Oct 2006 22:33:26 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | | What on earth are you talking about here? And why almost 6 months | | is not enough for someone to respond on a bug with a simple | | we'll only support newer versions and don't care about MySQL | | 4.0.x any more, go drop it? | | Priorities. The arch teams could be too busy dealing with other bugs | that matter more or too busy dealing with noise bugs. | | Sorry, taking 1 minute to respond on a bug after being poked for a | couple of months is not a matter of priorities, but mere politeness | and common sense. Seriously, you can't work productively with other | people if they can't be bothered to write one sentence for months. There are an awful lot of bugs requiring an awful lot of attention... That does bring up an interesting question though -- at what point do you just ignore the arch and move on so that development can continue? I suppose if you had a nasty security verbump you needed to release, you could keyword it yourself, but for everything else, what's the best way to handle those if you are perpetually ignored? Steve I picked a random e-mail to reply to. I don't maintain that many packages (maybe 10 or so?). But if I have a bug (particularly a sec bug as in this case) and you haven't stablized it after five months then I'll probably just nuke the ebuild and drop your keywords and then change the bug title to $arch got it's keywords dropped. Now of course I'd probably e-mail your alias a couple of times letting on that this is my evil plan and to please try and get to my bug. As an arch team you may not like it; and yeah it kind of sucks. If you want your keyword back there will still be a bug open for it and the arch team can always keyword it themselves. You can ask that we make a good faith attempt to not break the arch trees, and I think thats an acceptable request. But eventually I'm going to give up waiting on you. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 17:57:06 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Of course it does... Lots of people can't remove outdated broken cruft because $ebuild still depends on something since $arch has been slacking for months. Lots of people are forced to maintain outdated junk in this way, it's not like it's just sitting there doing nothing. Did you even read my mail? We're not asking people to maintain old stuff, just to leave it there as is until a newer one can be tested and keyworded. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 17:57:06 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | How exactly does this affect package maintainers, apart from the | cosmetic problems of having an old ebuild lying around? As far as I | can see, it doesn't affect the maintenance burden, | | Of course it does... Lots of people can't remove outdated broken cruft | because $ebuild still depends on something since $arch has been | slacking for months. Lots of people are forced to maintain outdated | junk in this way, it's not like it's just sitting there doing nothing. Uh, dude... If people are maintaining out of date packages, they're doing something wrong. Old packages, by and large, should *not* be modified. | So again, if some arch can't be bothered to answer keywording bugs for | months, no point in complaining that the maintainer finally gets | pissed off enough to just punt the last ebuild keyworded for that | arch. Simply leaving those ebuilds alone takes no effort. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh wrote: On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner [EMAIL PROTECTED] wrote: | I picked a random e-mail to reply to. I don't maintain that many | packages (maybe 10 or so?). But if I have a bug (particularly a sec | bug as in this case) and you haven't stablized it after five months | then I'll probably just nuke the ebuild and drop your keywords Which is dumb. There's no harm to be had in just leaving the ebuild there. I'm just trying to make my life as an ebuild maintainer easier. This means some individuals may file bugs against an old crusty version of a package that I maintain because $arch hasn't keyworded a newer version yet. Then I have to tell the user that they are using a crusty old version and to use a newer one. Double bonus if they are actually using said $arch and need to keyword the newer version themselves. I'll admit I've never had to drop keywords on anything thus far; I'm merely stating what I would do in such a situation. Your point prior was that you weren't asking maintainers to maintain anything extra, but to leave the old ebuilds in place for the given $arches. The small issue is that ebuilds in place imply maintainership; even if it's just to tell the user to use a newer version. On the topic of old ebuilds; situations may arise where a particular maintainer is trying to clean out a version of a package but finds that $arch doesn't have anything newer stable and thus can't do any sort of cleanup for fear of breaking $arch. You will probably again state that maintainer should just leave the older versions around. I will state that at least as a maintainer I'm willing to do so for only a limited period of time. Otherwise it becomes an annoyance when trying to clean up after packages to have ebuilds from three or four minor versions ago lying around. So we disagree on this point. Thats ok too I think ;) -Alec Warner [EMAIL PROTECTED] -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh napsal(a): | Accumulating broken old vulnerable and unsupported junk in tree There is no accumulation. It's already there. And if packages are that bad, perhaps you should ask yourself why they have a stable keyword at all. Eh, sure there won't be any accumulation of broken junk _if_ the ebuild never gets a version bump. (Then it should probably be removed altogether after a reasonable period of time once it gets broken). That's not what are we talking about here. Otherwise, apparently the junk accumulates there. As an example - it's really wonderful to have 3 KDE slots plus multiple versions for each in the tree just because some arch team hasn't keyworded/stabilized anything newer for ages. Makes everything faster and all... | for the sole sake of arches that noone cares about enough to keyword | something newer for months If you're taking that argument, one could just as easily claim that the packages should be removed entirely since the arch teams don't care enough to keyword them. See above, perhaps? And, we have some ebuilds without any keywords in the tree? If we do, then yes, they should be removed. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 08:57:01 +0100 Paweł Madej [EMAIL PROTECTED] wrote: | I'm not a dev but I suppose i got resolution for that problem. Lets | make another subproject (don't know how to name it properly) in | bugzilla in which there will be only bugs affected by security flaw. | That bugs will have highest priority from every other ones. And devs | would have to look at them firstly Uh, security bugs are not the highest priority. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh wrote: On Tue, 31 Oct 2006 18:50:58 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Stephen Bennett napsal(a): | On Tue, 31 Oct 2006 18:18:26 +0100 | Jakub Moc [EMAIL PROTECTED] wrote: | | Sure I did... Could you tell me why should we accumulate broken and | vulnerable junk in the tree for years? (Outdated ebuild A depends | on junky outdated ebuild B which depends on crappy, unsupported | ebuilds C, D and E which... ) | | To avoid breaking the dep tree for users. Quite simple really. | | Ah. That's apparently much more important than not breaking users by | providing them w/ non-vulnerable, decently uptodate stuff that's not | ridden by tons of bugs. Yup. :P So if it's ridden by tons of bugs, why did it ever get marked stable? Sometimes bugs are discovered after a stable marking, such as security bugs. You of all people know how crappy some software developers are at releasing bug-free software. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 18:50:58 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Ah. That's apparently much more important than not breaking users by providing them w/ non-vulnerable, decently uptodate stuff that's not ridden by tons of bugs. Yup. :P You've never worked on an arch team, have you? -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 2006-10-31 at 18:23 +0100, Jakub Moc wrote: Ciaran McCreesh napsal(a): On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner [EMAIL PROTECTED] wrote: | I picked a random e-mail to reply to. I don't maintain that many | packages (maybe 10 or so?). But if I have a bug (particularly a sec | bug as in this case) and you haven't stablized it after five months | then I'll probably just nuke the ebuild and drop your keywords Which is dumb. There's no harm to be had in just leaving the ebuild there. Accumulating broken old vulnerable and unsupported junk in tree for the sole sake of arches that noone cares about enough to keyword something newer for months harms everyone who uses rsync, wastes disk space for users, wastes disk space on mirrors, makes CVS and portage slower, wastes maintainers time... No harm? Nonsense. Well, there's a bit more to it than noone cares about. Biggest problem I have seen (although seldom) is when the fixed version is broken for us. In such cases, we will note the problem on the bug, but obviously will not keyword the fixed version, and we need the old version until the package maintainer corrects the problem. Thus, we have no control over any 5 month, 6 month, forever rule. Regards, Ferris -- Ferris McCormick (P44646, MI) [EMAIL PROTECTED] Developer, Gentoo Linux (Devrel, Sparc) signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, Oct 31, 2006 at 06:50:58PM +0100, Jakub Moc wrote: Ah. That's apparently much more important than not breaking users by providing them w/ non-vulnerable, decently uptodate stuff that's not ridden by tons of bugs. Yup. :P Why do you keep trying to tell arch maintainers how to do their job ? Do I tell you how to do yours ? Users of security-supported archs are not affected so what's your point again ? Assuming you have a valid one, of course, so please don't come back with that maintainters don't want to maintain old/broken stuff kind of argument. I'm both an arch-maintainer and ebuild-maintainer and don't see a problem here... so from your _vast_ experience as both an ebuild-maintainer and arch-maintainer, what's the problem? - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpnAnd6PQL1B.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, Oct 31, 2006 at 07:12:58PM +0100, Jakub Moc wrote: Oh well, this apparently doesn't go anywhere, slacking is just wonderful, maintainers should just STFU and obey the almighty slacking arches, security is the least of a concern and no priority, not answering a on bug for half a year makes lots of sense and all is fine and dandy. More cruft in the tree for t3h win. Yeah, we are so slackers that we are able to maintain a whole tree of keywords with less than 10 persons and less than 10 machines (alpha example). You probably want a shell account on a mips/alpha/... machine so you can start helping, right? - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpDeqfGu4dZh.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 19:12:58 +0100 Jakub Moc [EMAIL PROTECTED] wrote: Oh well, this apparently doesn't go anywhere, slacking is just wonderful, maintainers should just STFU and obey the almighty slacking arches, security is the least of a concern and no priority, not answering a on bug for half a year makes lots of sense and all is fine and dandy. More cruft in the tree for t3h win. When you can find a group that can maintain keywords for the entire tree with fewer than ten people and a similar number of machines averaging 500-600MHz each (to take alpha as an example), or approximately three active devs with machines averaging below 300MHz (mips), then you can accuse the arch teams of slacking. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 2006-10-31 at 17:02 +0100, Stuart Herbert wrote: 3) ?? Get your hands on some of the minority arch hardware and help out? Remember that some of the teams in question are sometimes only one or two people. In this case, a single developer does make a dramatic difference. -- Chris Gianelloni Release Engineering Strategic Lead Alpha/AMD64/x86 Architecture Teams Games Developer/Council Member/Foundation Trustee Gentoo Foundation signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tuesday 31 October 2006 19:51, Chris Gianelloni wrote: Remember that some of the teams in question are sometimes only one or two people. Like x86? :P -- Diego Flameeyes Pettenò - http://farragut.flameeyes.is-a-geek.org/ Gentoo/Alt lead, Gentoo/FreeBSD, Video, Sound, ALSA, PAM, KDE, CJK, Ruby ... pgpHpEwh2pa69.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 2006-10-31 at 20:06 +0100, Diego 'Flameeyes' Pettenò wrote: On Tuesday 31 October 2006 19:51, Chris Gianelloni wrote: Remember that some of the teams in question are sometimes only one or two people. Like x86? :P With Opfer on the team, I think we're at 5 active. -- Chris Gianelloni Release Engineering Strategic Lead Alpha/AMD64/x86 Architecture Teams Games Developer/Council Member/Foundation Trustee Gentoo Foundation signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Only you can prevent broken portage trees
Fernando J. Pereda napsal(a): On Tue, Oct 31, 2006 at 07:12:58PM +0100, Jakub Moc wrote: Oh well, this apparently doesn't go anywhere, slacking is just wonderful, maintainers should just STFU and obey the almighty slacking arches, security is the least of a concern and no priority, not answering a on bug for half a year makes lots of sense and all is fine and dandy. More cruft in the tree for t3h win. Yeah, we are so slackers that we are able to maintain a whole tree of keywords with less than 10 persons and less than 10 machines (alpha example). You probably want a shell account on a mips/alpha/... machine so you can start helping, right? This whole frickin' debate started when vivo mentioned a bug where noone from the concerned arches gave a damn for half a year. Not even uttering a simple we don't care, punt it or we have still an issue with this and are working on it. Then ciaranm came w/ his priorities junk, spb joined to fuel the flame (as always) and then you came horribly offended (for whatever weird reason) about how I'm daring to dictate some arches how they should do their job. OMG how hard is it to post one sentence on such bugs instead of playing a dead horse? Really, stop this nonsense. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Hi Chris, On 10/31/06, Chris Gianelloni [EMAIL PROTECTED] wrote: On Tue, 2006-10-31 at 17:02 +0100, Stuart Herbert wrote: 3) ?? Get your hands on some of the minority arch hardware and help out? It's a good idea. It's not an option for me, but hopefully others will follow your advice. Personally, I like the idea of package maintainers updating old ebuilds with a prominent warning that the package is known to have security holes, and then leaving it to the user to decide whether or not to use the package. A suitable elog message (pointing the user at the security bugs in question, and warning them that the package is now unsupported as a result) in pkg_setup would do the trick. If there's any interest in this solution, it'd wouldn't take very long to add a suitable function to the eutils eclass, so that we can standardise the behaviour. Of course, it'd be even better if Portage itself could support this, so that the warning could occur without manual intervention. But in the meantime, adding a simple 'einsecure' function would be sufficient. Any interest? Best regards, Stu -- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, Oct 31, 2006 at 08:42:54PM +0100, Jakub Moc wrote: Fernando J. Pereda napsal(a): On Tue, Oct 31, 2006 at 07:12:58PM +0100, Jakub Moc wrote: Oh well, this apparently doesn't go anywhere, slacking is just wonderful, maintainers should just STFU and obey the almighty slacking arches, security is the least of a concern and no priority, not answering a on bug for half a year makes lots of sense and all is fine and dandy. More cruft in the tree for t3h win. Yeah, we are so slackers that we are able to maintain a whole tree of keywords with less than 10 persons and less than 10 machines (alpha example). You probably want a shell account on a mips/alpha/... machine so you can start helping, right? This whole frickin' debate started when vivo mentioned a bug where noone from the concerned arches gave a damn for half a year. Not even uttering a simple we don't care, punt it or we have still an issue with this and are working on it. Then ciaranm came w/ his priorities junk, spb joined to fuel the flame (as always) and then you came horribly offended (for whatever weird reason) about how I'm daring to dictate some arches how they should do their job. OMG how hard is it to post one sentence on such bugs instead of playing a dead horse? Really, stop this nonsense. Yes please stop your friggin nonsense when you have absolutely no idea wtf you're talking about. Arch teams are doing everything they can to keep up with bugs but have to take care of things according to how important they are to the team in question. Please go back to bug-wrangling and let the arch teams do their job without throwing all that garbage at us all the time. Regards, Bryan Østergaard -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
OK kids, settle down for a second and listen to your uncle Seemant. First, enough with the insults being hurled around! We don't need people being called slackers and dumb and stupid and whatever other creative labels are being developed. That is absolutely and without a doubt: non-productive. The better alternative might be to approach people with a modicum of respect (swallow the bile). Second, there's an obvious point of frustration here. The arch teams due to being understaffed have a different set of priorities from the security team and a different set of priorities from the maintainers. And this is the correct way for these things to be. Third, the best proposal I've seen here is for developers to get shell accounts on alternate architectures. There's quite a few of them floating around, and I'm pretty sure the arch teams will help you get a shell on one of the boxes somewhere. Some of the arches even have shell boxes for that purpose sitting at OSU or something. This would work for at least the console applications (the visual stuff will be a little trickier). So, that said, I'm going to have to go with the standard advice that Gentoo developers give Gentoo users: if you see a problem, help fix it! Alternatively, there might be reason to have an einsecure() call in pkg_setup() or something for deprecated versions. But let me say again: stop acting disrespectfully of each other, or I'm going to turn this car around and drive us back home, I'm not kidding! And give me some of that popcorn. -- Seemant Kulleen Developer, Gentoo Linux -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, Oct 31, 2006 at 03:23:00PM -0500, Seemant Kulleen wrote: Third, the best proposal I've seen here is for developers to get shell accounts on alternate architectures. There's quite a few of them floating around, and I'm pretty sure the arch teams will help you get a shell on one of the boxes somewhere. Some of the arches even have shell boxes for that purpose sitting at OSU or something. This would work for at least the console applications (the visual stuff will be a little trickier). Just to add a little thing here: Arch teams have been using vnc through ssh to test visual stuff like gnome, kde, xfce and their respective mothers, for years. So testing visual stuff remotely *is* possible. - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpZgswJbGLmJ.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Tue, 31 Oct 2006 21:34:13 +0100 Fernando J. Pereda [EMAIL PROTECTED] wrote: | On Tue, Oct 31, 2006 at 03:23:00PM -0500, Seemant Kulleen wrote: | Third, the best proposal I've seen here is for developers to get | shell accounts on alternate architectures. There's quite a few of | them floating around, and I'm pretty sure the arch teams will help | you get a shell on one of the boxes somewhere. Some of the arches | even have shell boxes for that purpose sitting at OSU or | something. This would work for at least the console applications | (the visual stuff will be a little trickier). | | Just to add a little thing here: | | Arch teams have been using vnc through ssh to test visual stuff like | gnome, kde, xfce and their respective mothers, for years. | | So testing visual stuff remotely *is* possible. Kind of... You won't, for example, have picked up the endian bug in urxvt by doing that. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Francesco Riosa ha scritto: [...] http://bugs.gentoo.org/show_bug.cgi?id=149626 I'm going to die then, scheduled on 2006-11-05 If keywording without archs support is only gambling I'll go that route [...] Worried that this can cause a flameware I already updated the ebuild: - it now use the eclass - the only stable keywords now are those of the arch not having a better version please don't tell anyone, I'm really worried it can cause a flamefest. in the meantime the ~sparc-fbsd keyword reached the package, very happy for that :) but I've keyworded DBI and DBD (perl stuff) to satisfy the deps. Repoman was stil complaining about missin KEY on '=perl-core/Sys-Syslog-0.17' '=dev-perl/PlRPC-0.2' on dev-perl/DBI ciao, Francesco -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Sun, Oct 29, 2006 at 07:49:22PM -0700, Jason Wever wrote: Please triple check what you want to commit and verify that you don't do any of the following (which are punishable by death): 1) remove the last ebuild that is keyworded for a given arch, especially when resulting in broken dependencies. 2) remove the last stable ebuild for an architecture 3) remove the last testing ebuild for an architecture when there is no stable ebuild available after the removal To generalize on Francesco's email, how long should developers wait for minority arches to mark stuff stable, after a security bug, and then a reminder more than 4 months later? 5 months of no response from the arches says something is wrong on their side. I think that usage statistics might point out that there are nobody even using these specific ebuilds that are proposed for removal. -- Robin Hugh Johnson E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 pgpKmk2uLyg9u.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On 10/30/06, Jason Wever [EMAIL PROTECTED] wrote: Please triple check what you want to commit and verify that you don't do any of the following (which are punishable by death): 1) remove the last ebuild that is keyworded for a given arch, especially when resulting in broken dependencies. 2) remove the last stable ebuild for an architecture 3) remove the last testing ebuild for an architecture when there is no stable ebuild available after the removal Consider yourself warned. Violation of any of these will cause the jforman death goat squad to be dispatched to your location for a discreet hit. For repeat offenders, public executions will be had, with Spanky hosting. 1) Would it be a good idea for repoman to detect these when scanning for QA issues ? 2) Would it be a good idea for repoman to alert QA (and possibly the jforman death goat squad) in real time when a dev commits such violations (and others) ? This could enable other devs to act right away and avoid havoc to spread too far. Denis. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
On Mon, 2006-10-30 at 00:28 -0800, Robin H. Johnson wrote: On Sun, Oct 29, 2006 at 07:49:22PM -0700, Jason Wever wrote: Please triple check what you want to commit and verify that you don't do any of the following (which are punishable by death): 1) remove the last ebuild that is keyworded for a given arch, especially when resulting in broken dependencies. 2) remove the last stable ebuild for an architecture 3) remove the last testing ebuild for an architecture when there is no stable ebuild available after the removal To generalize on Francesco's email, how long should developers wait for minority arches to mark stuff stable, after a security bug, and then a reminder more than 4 months later? 5 months of no response from the arches says something is wrong on their side. I might be mistaken, but I believe sparc responds pretty quickly to security bugs, either by taking the requested action or by explaining why the requested action is impossible (i.e., build problems). I think that usage statistics might point out that there are nobody even using these specific ebuilds that are proposed for removal. Regards, -- Ferris McCormick (P44646, MI) [EMAIL PROTECTED] Developer, Gentoo Linux (Devrel, Sparc) signature.asc Description: This is a digitally signed message part
Re: [gentoo-dev] Only you can prevent broken portage trees
On Mon, 30 Oct 2006 00:28:29 -0800 Robin H. Johnson [EMAIL PROTECTED] wrote: | To generalize on Francesco's email, how long should developers wait | for minority arches to mark stuff stable, after a security bug, and | then a reminder more than 4 months later? Indefinitely. There's no harm leaving ebuilds around. | 5 months of no response from the arches says something is wrong on | their side. Or it tells you where their priorities lie... -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Monday 30 October 2006 14:23, Ferris McCormick wrote: I might be mistaken, but I believe sparc responds pretty quickly to security bugs, either by taking the requested action or by explaining why the requested action is impossible (i.e., build problems). Yes, the Sparc team is rather quick - even among security-wise supported architectures. None of the archs cc'ed to the bug in question is security-wise supported. We communicate this is our vulnerability policy¹ page - a bit too hidden for my taste. Carsten [1] http://www.gentoo.org/security/en/vulnerability-policy.xml pgpuk28mu5vmO.pgp Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh napsal(a): On Mon, 30 Oct 2006 00:28:29 -0800 Robin H. Johnson [EMAIL PROTECTED] wrote: | To generalize on Francesco's email, how long should developers wait | for minority arches to mark stuff stable, after a security bug, and | then a reminder more than 4 months later? Indefinitely. There's no harm leaving ebuilds around. Joking, right? Who's gonna maintain the vulnerable, broken, dead cruft? You? | 5 months of no response from the arches says something is wrong on | their side. Or it tells you where their priorities lie... Sure. So they don't need the keywords nor the package. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Mon, 30 Oct 2006 20:09:56 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | On Mon, 30 Oct 2006 00:28:29 -0800 Robin H. Johnson | [EMAIL PROTECTED] wrote: | | To generalize on Francesco's email, how long should developers | | wait for minority arches to mark stuff stable, after a security | | bug, and then a reminder more than 4 months later? | | Indefinitely. There's no harm leaving ebuilds around. | | Joking, right? Who's gonna maintain the vulnerable, broken, dead | cruft? You? If there's any 'maintaining' to be done, they switch to the newer version. If a herd goes around 'maintaining' old ebuilds on a regular basis, however, then they're doing something wrong. | | 5 months of no response from the arches says something is wrong on | | their side. | | Or it tells you where their priorities lie... | | Sure. So they don't need the keywords nor the package. No no. They might need the package, just not necessarily a particular version. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh napsal(a): | | 5 months of no response from the arches says something is wrong on | | their side. | | Or it tells you where their priorities lie... | | Sure. So they don't need the keywords nor the package. No no. They might need the package, just not necessarily a particular version. As you have might have noticed, they already have a newer version stable. But apparently asking them to respond on a bug within 5 months is way too much. :P -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Mon, 30 Oct 2006 20:50:06 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | | | 5 months of no response from the arches says something is | | | wrong on their side. | | | | Or it tells you where their priorities lie... | | | | Sure. So they don't need the keywords nor the package. | | No no. They might need the package, just not necessarily a | particular version. | | As you have might have noticed, they already have a newer version | stable. But apparently asking them to respond on a bug within 5 months | is way too much. :P Well yes, since there's no clear link between bugs and packages. Things can get stabled incidentally and for reasons other than the ones in one particular bug. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh napsal(a): | As you have might have noticed, they already have a newer version | stable. But apparently asking them to respond on a bug within 5 months | is way too much. :P Well yes, since there's no clear link between bugs and packages. Things can get stabled incidentally and for reasons other than the ones in one particular bug. Eh? Stabilizing for multiple security issues [1] is incidental?! [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1518 http://bugs.gentoo.org/show_bug.cgi?id=132146 What on earth are you talking about here? And why almost 6 months is not enough for someone to respond on a bug with a simple we'll only support newer versions and don't care about MySQL 4.0.x any more, go drop it? -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Mon, 30 Oct 2006 21:46:33 +0100 Jakub Moc [EMAIL PROTECTED] wrote: | Ciaran McCreesh napsal(a): | | As you have might have noticed, they already have a newer version | | stable. But apparently asking them to respond on a bug within 5 | | months is way too much. :P | | Well yes, since there's no clear link between bugs and packages. | Things can get stabled incidentally and for reasons other than the | ones in one particular bug. | | Eh? Stabilizing for multiple security issues [1] is incidental?! Stabling for multiple local denial of service security issues can be done incidentally when stabling for a data loss fix (which I'm not claiming is the case for one particular package, but merely giving as an example demonstrating what incidental means). | What on earth are you talking about here? And why almost 6 months is | not enough for someone to respond on a bug with a simple we'll only | support newer versions and don't care about MySQL 4.0.x any more, go | drop it? Priorities. The arch teams could be too busy dealing with other bugs that matter more or too busy dealing with noise bugs. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
Re: [gentoo-dev] Only you can prevent broken portage trees
Ciaran McCreesh napsal(a): | What on earth are you talking about here? And why almost 6 months is | not enough for someone to respond on a bug with a simple we'll only | support newer versions and don't care about MySQL 4.0.x any more, go | drop it? Priorities. The arch teams could be too busy dealing with other bugs that matter more or too busy dealing with noise bugs. Sorry, taking 1 minute to respond on a bug after being poked for a couple of months is not a matter of priorities, but mere politeness and common sense. Seriously, you can't work productively with other people if they can't be bothered to write one sentence for months. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=getsearch=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Only you can prevent broken portage trees
On Mon, 30 Oct 2006 18:46:25 -0500 Alec Warner [EMAIL PROTECTED] wrote: | I'm actually going to agree with jakub here. I wouldn't even say | they need to fix the bug; but just acknowledge that they even read it | or paid attention or hey we are working on it or hey we don't give | a flying rats ass. | | There is a minimal level of communication that is required between | groups, otherwise nothing gets done and you *will* get people | breaking your arch tree or pulling your keywords, because if you | having commented on the bug ever then most sane people would probably | assume you don't care. The thing is, at any given time there are probably a hundred or more bugs assigned to arch teams with people whining for attention. At least two thirds of those whines are unhelpful and serve no purpose. Filtering out the legitimate calls for attention would take even more time away from fixing the things. So, unless you can recruit somebody *good* to let the arch teams know which bugs should be prioritised, the only thing that increasing communication would do is decrease the number of bugs that get fixed. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13 signature.asc Description: PGP signature
[gentoo-dev] Only you can prevent broken portage trees
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi All, Apparently its been too long since I've sent one of these out, as people are starting to slip up and break the tree again. Please triple check what you want to commit and verify that you don't do any of the following (which are punishable by death): 1) remove the last ebuild that is keyworded for a given arch, especially when resulting in broken dependencies. 2) remove the last stable ebuild for an architecture 3) remove the last testing ebuild for an architecture when there is no stable ebuild available after the removal Consider yourself warned. Violation of any of these will cause the jforman death goat squad to be dispatched to your location for a discreet hit. For repeat offenders, public executions will be had, with Spanky hosting. Thanks :) - -- Jason Wever Gentoo/Sparc Team Co-Lead -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFFRWg1dKvgdVioq28RAj+tAJ4o4sDm3gMHXFJD93p7A3sQfDIjQwCfRGoo 83p8MPbKPzjgbkM0B684l8M= =hGcH -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Only you can prevent broken portage trees
Jason Wever ha scritto: Hi All, Apparently its been too long since I've sent one of these out, as people are starting to slip up and break the tree again. Please triple check what you want to commit and verify that you don't do any of the following (which are punishable by death): 1) remove the last ebuild that is keyworded for a given arch, especially when resulting in broken dependencies. http://bugs.gentoo.org/show_bug.cgi?id=149626 I'm going to die then, scheduled on 2006-11-05 If keywording without archs support is only gambling I'll go that route 2) remove the last stable ebuild for an architecture 3) remove the last testing ebuild for an architecture when there is no stable ebuild available after the removal Consider yourself warned. Violation of any of these will cause the jforman death goat squad to be dispatched to your location for a discreet hit. For repeat offenders, public executions will be had, with Spanky hosting. Thanks :) -- Jason Wever Gentoo/Sparc Team Co-Lead -- gentoo-dev@gentoo.org mailing list
