On Wed, Mar 2, 2016 at 2:11 PM, James <wirel...@tampabay.rr.com> wrote: > Rich Freeman <rich0 <at> gentoo.org> writes: > > Excuse me, but I did not criticize anyone.
I know. It was really meant to temper my remarks, since email is easy to misconstrue. It wasn't really directed at you, and you did get at your intent at the end of your previous post. > >> Revbumping wouldn't help, and I'm pretty sure they did revbump it. >> The real issue was upstream, and I'd have to think about whether >> trying to fix it with a Gentoo patch would make things better or worse >> (it would make Gentoo different from everybody else, causing havoc if >> you had a proprietary binary you wanted to run and so on). > > One of the dev-quiz questions is about how long to leave a package in > testing, with 30 days being the minimum, unless there is critical need, > or have I not correctly understood the docs and devmanual? Again, I have no > idea how long this package was in 'testing' but, this does sound like an > excellent opportunity for fledgling devs to learn a bit deeper? So far this package is only in testing. Nobody would have run into this issue if they weren't running ~arch. While disruptions this large are undesirable even in ~arch, the reality is that you're much more likely to run into them since you are the guinea pigs. This is actually a security issue as well, so there is going to be a rush to get it stabilized somehow. I'm not entirely sure how yet. Security issues are exempt from the 30 day rule, and we don't always backport them. > > So what commands do I run (git style) to see the history of the relevant > build/release dates for openssl? The changelog seems incomplete.... Are you talking about upstream, or within Gentoo? Within gentoo online you can just browse: https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-libs/openssl Hit log next to any file you're interested in, or go up a directory and hit log next to the openssl directory itself to see everything including file deletions/etc. Or with git you can run: git clone git://anongit.gentoo.org/repo/gentoo.git cd gentoo/dev-libs/openssl git log . > >> The way openssl handles their ABIs really makes me think that libressl >> may not be the lesser evil. Sloppy SONAME handling causes all kinds >> of issues though and seeing it in high-profile projects like these is >> pretty concerning. > > Good to know. In fact gentoo supports such a wide variety of libs so all of > this information, in a practical example, is very valuable imho. There are pros and cons to it, but I wouldn't be here if I didn't think that letting the users pick the winner between openssl/libressl wasn't a good thing. Initially I was pushing back on adding libressl to the tree a bit just to see if we could come up with a better way to do it in light of the mess we ran into with libav. In the end we couldn't come up with anything so it moved forward. > Easy on being so critical, either for others or yourself. I was just joking with that, hence the point about somebody bringing it up when I inevitably make a mistake. > Besides this is excellent evidence > for CI (Jenkins + Gerrit) ? Are you not a proponent of CI for Gentoo? I'm definitely a proponent. It can be a bit problematic resource-wise and with latency. However, I should really get into the habit of trying to do commits via pull-requests that hit our CI system. -- Rich
