Re: [gentoo-dev] A Gentle Reminder
On Thu, 8 Feb 2007 22:34:32 + Stephen Bennett <[EMAIL PROTECTED]> wrote: > If any of you were thinking of removing the latest stable version of a > package, don't. Even if you're the package maintainer, even if there > are open security bugs against it, even if someone has filed you a bug > requesting that it be removed. If it's the latest stable version on > any architecture, you don't remove it. If you do, we'll know, and we > won't be happy. > > There. It's not that hard to understand, is it? Do you object to such packages (specifically with security issues) being p.masked? I'm not sure we should be encouraging people to continue using packages when we know there are known security issues. -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 13:22:48 +0100 "Kevin F. Quinn" <[EMAIL PROTECTED]> wrote: | Do you object to such packages (specifically with security issues) | being p.masked? If it's forcing a downgrade, yes. | I'm not sure we should be encouraging people to continue using | packages when we know there are known security issues. You assume that being affected by a local denial of service on a system where all users have the root password is more important than using a package that has been verified to work by an arch team member. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kevin F. Quinn wrote: > Do you object to such packages (specifically with security issues) being > p.masked? I'd say drop all but the "slacking" arch's keywords, as Luca suggested. It may well be one of the security-unsupported arches anyway. - -- Vlastimil Babka (Caster) Gentoo/Java -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFzw2vtbrAj05h3oQRAkYKAJ9OrSazZHmSjDiv9rDh5kXU3k+J5gCdGhcZ eV55R7A3HE633efoE+it1gM= =fOsh -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sunday 11 February 2007, Ciaran McCreesh wrote:
> On Sun, 11 Feb 2007 13:22:48 +0100 "Kevin F. Quinn"
> | I'm not sure we should be encouraging people to continue using
> | packages when we know there are known security issues.
>
> You assume that being affected by a local denial of service on a system
> where all users have the root password is more important than using a
> package that has been verified to work by an arch team member.
wonder if there'd be a way of levaraging the glsa tags ...
if ("remote" in ) screw over $ARCH in KEYWORDS
-mike
pgpE2MsX9nxWz.pgp
Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 07:56:29 -0500
Mike Frysinger <[EMAIL PROTECTED]> wrote:
> wonder if there'd be a way of levaraging the glsa tags ...
>
> if ("remote" in ) screw over $ARCH in KEYWORDS
> -mike
If it's a security-unsupported arch we probably don't even care about
that enough to lose keywords. If a particular sysadmin does care about
security of his unsupported experimental systems, he can use his
package manager's capabilities to remove insecure packages rather than
us forcing it on everyone. When it comes to this sort of machine,
working beats secure but broken any day.
--
gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 12:33:52 + Ciaran McCreesh <[EMAIL PROTECTED]> wrote: > On Sun, 11 Feb 2007 13:22:48 +0100 "Kevin F. Quinn" > <[EMAIL PROTECTED]> wrote: > | Do you object to such packages (specifically with security issues) > | being p.masked? > > If it's forcing a downgrade, yes. > > | I'm not sure we should be encouraging people to continue using > | packages when we know there are known security issues. > > You assume that being affected by a local denial of service on a > system where all users have the root password is more important than > using a package that has been verified to work by an arch team member. I said nothing about local denial of service; perhaps you're thinking of a particular instance - I'm not. To rhetorically follow your line of discussion, you're happy to have remote exploits remain in the tree (i.e. promoted by Gentoo) if a package is marked stable and a patch isn't available? The point about p.masking (rather than removal) is that we have then made reasonable efforts to inform the user and give them the opportunity to decide what they want to do, based on their own security policy - which could be to unmask locally and continue regardless, or could be to remove the package and try something else. That way they'd be making informed decisions. I think if we're to promote packages that have security issues on an arch, we need to be very clear that we're not making reasonable efforts to ensure that arch is free of known exploits. -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007, Kevin F. Quinn wrote: > I think if we're to promote packages that have security issues on an > arch, we need to be very clear that we're not making reasonable efforts > to ensure that arch is free of known exploits. > I agree. The term "promote" is perhaps a little bit exaggerated, but a vulnerabilities monitoring is useful only if it's exhaustive - so far as possible. If, say, 5% of security weaknesses are voluntarily kept in portage, that means that the security concerned users can't rely on GLSAs and package.mask: they should rely on their own security vulnerabilities monitoring, and that means we've failed. But a "temporary masking GLSA" which would not cover all arches may be acceptable, without abuse. I still prefer see vulnerable packages in p.mask with a 2-lines short comment and the bug number. Cheers, -- Raphael Marichez aka Falco pgpVFyU0ilqVU.pgp Description: PGP signature
[gentoo-dev] Last rite libtc, tc2, tc2-modules and tcvp.
Announcing last rites for following ebuilds, # Samuli Suominen <[EMAIL PROTECTED]> (11 Feb 2007) # CVS is dead for 3 years. Bad USE of static. Libtool is broken # and it is maintainer-needed. dev-libs/libtc dev-libs/tc2 dev-libs/tc2-modules media-video/tcvp Unless someone steps up I'll be removing this in a month. Related bug is http://bugs.gentoo.org/show_bug.cgi?id=166342 which covers USE of static. Libtool is beyond simple fixing by autotools.eclass, and they introduce broken libtool -patch hack in configure.in. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Last rite libtc, tc2, tc2-modules and tcvp.
Samuli Suominen wrote: > Announcing last rites for following ebuilds, > > # Samuli Suominen <[EMAIL PROTECTED]> (11 Feb 2007) > # CVS is dead for 3 years. They moved to monotone http://viewmtn.inprovide.com/ > Bad USE of static. Libtool is broken > and it is maintainer-needed. Ouch > dev-libs/libtc > dev-libs/tc2 > dev-libs/tc2-modules > media-video/tcvp > lu -- Luca Barbato Gentoo/linux Gentoo/PPC http://dev.gentoo.org/~lu_zero -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] punt raidtools and move people to mdadm
> Mike Frysinger wrote: >> anyone have a compelling reason for keeping raidtools anymore ? the mdadm >> package replaces all the functionality of raidtools and is actively >> maintained upstream >> >> ive kept it around mostly so people can transition to mdadm nicely but i >> think >> it's about time we let it go >> -mike > Do we have documentation on howto migrate? Thats the big thing holding > me back(afaik, I have to backup, wipe the disks and then do mdadm and > restore) H another case for my PORTDIR_OVERLAY=/usr/local/portage :( -- Joerg Bornkessel mailto:[EMAIL PROTECTED] pgpw6y8cuyMJB.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 15:42:33 +0100 "Kevin F. Quinn" <[EMAIL PROTECTED]> wrote: | I said nothing about local denial of service; perhaps you're thinking | of a particular instance - I'm not. To rhetorically follow your line | of discussion, you're happy to have remote exploits remain in the tree | (i.e. promoted by Gentoo) if a package is marked stable and a patch | isn't available? You're trying to use the blanket justification of "it's security" to break the tree, regardless of the severity of the vulnerability and the impact of the fix. This is not a reasonable approach, and it leads people to go around screaming at developers to go around keywording things without proper testing, regardless of impact. Here's an alternative policy that makes much more sense: * Drop keywords from vulnerable versions as stable versions are keyworded. * Don't remove packages that will end up breaking the tree or forcing downgrades; conversely, when vulnerable packages *can* be removed safely, do so. * If an arch team is lagging behind on a serious vulnerability, people who are not Jakub politely asking for updates now and again is ok. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh <[EMAIL PROTECTED]> wrote: > On Sun, 11 Feb 2007 15:42:33 +0100 "Kevin F. Quinn" wrote: > | I said nothing about local denial of service; perhaps you're thinking > | of a particular instance - I'm not. To rhetorically follow your line > | of discussion, you're happy to have remote exploits remain in the tree > | (i.e. promoted by Gentoo) if a package is marked stable and a patch > | isn't available? > > You're trying to use the blanket justification of "it's security" to > break the tree, regardless of the severity of the vulnerability and > the impact of the fix. And i understood he argued quite the opposite. To my knowledge the security team p.masks "common" (type A and B) packages, and i'm sure they don't do this for nothing, though i agree that probably should be left for severity > normal. In all other cases, a temporary GLSA, as already outlined on the team's project page, should suffice. But then, i've no say in this and i trust those people to take responsible action to protect gentoo's users (you and me among them). > This is not a reasonable approach, and it leads > people to go around screaming at developers to go around keywording > things without proper testing, regardless of impact. My reading of that "target date" on http://www.gentoo.org/security/en/vulnerability-policy.xml allows for testing with regard to impact -- the response time (and thus possible testing time) should be reciprocal to the severity of the vulnerability. > Here's an alternative policy that makes much more sense: > > * Drop keywords from vulnerable versions as stable versions are > keyworded. Um, not sure i understand you correctly here: you're suggesting security team drops the affected package keywords and let arch teams readd stable to the new ones? This forces downgrades just like p.masking them... Basically, as a systems administrator, you have to act on a GLSA. If that means unmasking or readding keywords, i don't care. > * Don't remove packages that will end up breaking the tree or forcing > downgrades; conversely, when vulnerable packages *can* be removed > safely, do so. And is/should be done right now :-) > * If an arch team is lagging behind on a serious vulnerability, people > who are not Jakub politely asking for updates now and again is ok. That's why we have security contacts on every supported arches... They're supposed to handle that, and the policy is quite clear what happens if they fail (not implying they do...) Uh, such a lenghty email, hope my point comes across: the sec team does a good job, imho && afaik :-) -- Regards, Matti Bickel Homepage: http://www.rateu.de Encrypted/Signed Email preferred pgpaTCxkTupts.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 17:18:45 +0100 Matti Bickel <[EMAIL PROTECTED]> wrote: | And i understood he argued quite the opposite. To my knowledge the | security team p.masks "common" (type A and B) packages, and i'm sure | they don't do this for nothing, though i agree that probably should be | left for severity > normal. Here's the thing though. Masking too early breaks the tree. This causes no end of problems for arch teams who are then left having to fix not only that but all the associated problems when developers start removing keywords to shut repoman up (which in turn leads to more broken deps...). That's the issue here. | > This is not a reasonable approach, and it leads | > people to go around screaming at developers to go around keywording | > things without proper testing, regardless of impact. | | My reading of that "target date" on | http://www.gentoo.org/security/en/vulnerability-policy.xml | allows for testing with regard to impact -- the response time (and | thus possible testing time) should be reciprocal to the severity of | the vulnerability. You're assuming that all archs have enough spare time and developers to be able to look at some security bug on an app that only had keywords because someone keyworded it to shut repoman up straight away. This isn't the case -- given a choice between, say, getting up to date KDE or Gnome releases or a security vulnerability for some app with two users, the security vulnerability quite rightly loses. | > Here's an alternative policy that makes much more sense: | > | > * Drop keywords from vulnerable versions as stable versions are | > keyworded. | | Um, not sure i understand you correctly here: | you're suggesting security team drops the affected package keywords | and let arch teams readd stable to the new ones? No. Arch teams could drop keywords from vulnerable versions at the same time they stable unaffected versions. | > * Don't remove packages that will end up breaking the tree or | > forcing downgrades; conversely, when vulnerable packages *can* be | > removed safely, do so. | | And is/should be done right now :-) No, what's done right now is that Jakub files whiny bugs demanding immediate action from arch teams but assigning the bugs to package maintainers, resulting in dropped keywords because the maintainers assume that they can rely upon Jakub's bug descriptions being correct. Several recent incidents like this are what prompted the initial email. | > * If an arch team is lagging behind on a serious vulnerability, | > people who are not Jakub politely asking for updates now and again | > is ok. | | That's why we have security contacts on every supported arches... | They're supposed to handle that, and the policy is quite clear what | happens if they fail (not implying they do...) And unsupported archs? They're mostly the ones being screwed over here. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): > | > * Don't remove packages that will end up breaking the tree or > | > forcing downgrades; conversely, when vulnerable packages *can* be > | > removed safely, do so. > | > | And is/should be done right now :-) > > No, what's done right now is that Jakub files whiny bugs demanding > immediate action from arch teams but assigning the bugs to package > maintainers, resulting in dropped keywords because the maintainers > assume that they can rely upon Jakub's bug descriptions being correct. > Several recent incidents like this are what prompted the initial email. Hey, kindly leave me alone... - I'm *not* demanding anything from *arch teams*, the bugs are for *maintainers* of those packages. I've already told you couple of times, why are you making these misleading statements yet again? - Not my problem that maintainers didn't check keywords on removal (even on bugs where mips is CCed). Developers are supposed to use *brain* when punting vulnerable versions (like with any other commit). - Also not my problem that $arch is still affected by such bugs months or even years after respective GLSAs have been issued (which has caused the ebuilds to still stay in the tree and hence made me file the bugs). Before I've started filing these bugs, we had vulnerable crap back from ~2004 lingering in the tree. - Leaving vulnerable junk in the tree for an indefinite period of time sucks and is causing needless work for maintainers. We lack any policy on this, but if some arch can't act for over a year, they deserve to get the keywords dropped and get their deptree broken, sorry. Not maintainers' fault that noone has cared enough. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: | - I'm *not* demanding anything from *arch teams*, the bugs are for | *maintainers* of those packages. I've already told you couple of | times, why are you making these misleading statements yet again? And yet, somehow developers are interpreting your bugs as requests to remove packages straight away. Why do you think this is? Maybe it's because you assign the bugs to maintainers rather than the arch teams and make lots of noise about it, regardless of whether arch keywording still has to be done... *All* the recent forced downgrade and dep tree breakages for at least one arch have come about as a result of your highly misleading bugs. Granted, it's ultimately the responsibility of the maintainers to check their work, but you aren't exactly helping them with the way you're filing bugs and screaming... -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): > On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: > | - I'm *not* demanding anything from *arch teams*, the bugs are for > | *maintainers* of those packages. I've already told you couple of > | times, why are you making these misleading statements yet again? > > And yet, somehow developers are interpreting your bugs as requests to > remove packages straight away. Why do you think this is? Maybe it's > because you assign the bugs to maintainers rather than the arch teams > and make lots of noise about it, regardless of whether arch keywording > still has to be done... Why should I assign bugs to arch teams??? Arch teams are not supposed to punt stuff from the tree, it's maintainer's job. > *All* the recent forced downgrade and dep tree breakages for at least > one arch have come about as a result of your highly misleading bugs. > Granted, it's ultimately the responsibility of the maintainers to check > their work, but you aren't exactly helping them with the way you're > filing bugs and screaming... Screaming? WTF really. What's misleading about listing vulnerable versions and asking for their removal? - check the keywords and dependencies - if nothing is wrong, punt those - otherwise CC the affected arch(es) and ask for keywording/stabilizing a newer version, punt then. Really a rocket science, huh? Stop blaming me for maintainers' screwups, TIA. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 18:49:21 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: | Why should I assign bugs to arch teams??? Arch teams are not supposed | to punt stuff from the tree, it's maintainer's job. Because the arch teams have to do work before the maintainers can do anything. | > *All* the recent forced downgrade and dep tree breakages for at | > least one arch have come about as a result of your highly | > misleading bugs. Granted, it's ultimately the responsibility of the | > maintainers to check their work, but you aren't exactly helping | > them with the way you're filing bugs and screaming... | | Screaming? WTF really. What's misleading about listing vulnerable | versions and asking for their removal? They can't be removed yet. Stop filing bugs telling people to do so. | Really a rocket science, huh? Stop blaming me for maintainers' | screwups, TIA. Believe it or not, Jakub, some maintainers still trust you. They expect your bugs to be accurate. You and I know that this is highly silly, but enough people act upon what you tell them to do that stuff gets broken on a regular basis. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, Feb 11, 2007 at 05:40:27PM +, Ciaran McCreesh wrote: > On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: > | - I'm *not* demanding anything from *arch teams*, the bugs are for > | *maintainers* of those packages. I've already told you couple of > | times, why are you making these misleading statements yet again? > > And yet, somehow developers are interpreting your bugs as requests to > remove packages straight away. Why do you think this is? Maybe it's > because you assign the bugs to maintainers rather than the arch teams > and make lots of noise about it, regardless of whether arch keywording > still has to be done... In case someone thinks this is just ciaranm inventing stuff, this has happened not too far ago. Some mozilla package got p.masked while some ebuilds still depended on it. It is definitely _not_ Jakub to blame (imho) but I'm pretty sure said deveveloper *thought* he had checked rdeps before. Result: some people (users here) got screwed because of misunderstanding. - ferdy -- Fernando J. Pereda Garcimartín Gentoo Developer (Alpha,net-mail,mutt,git) 20BB BDC3 761A 4781 E6ED ED0B 0A48 5B0C 60BD 28D4 pgpoTSmuR6fyG.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): > | Screaming? WTF really. What's misleading about listing vulnerable > | versions and asking for their removal? > > They can't be removed yet. Stop filing bugs telling people to do so. Eh? Why should I stop filing bugs about stale vulnerable cruft? Should it stay in the tree forever (unless some $we_all_know_which_arch dev wakes up by miracle and moves)? > Believe it or not, Jakub, some maintainers still trust you. They expect > your bugs to be accurate. You and I know that this is highly silly, but > enough people act upon what you tell them to do that stuff gets broken > on a regular basis. Oh, there's nothing like attacking someone for someone else's fault. Won't waste my time on your trollish rants any more. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 19:50:02 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: | Ciaran McCreesh napsal(a): | > | Screaming? WTF really. What's misleading about listing vulnerable | > | versions and asking for their removal? | > | > They can't be removed yet. Stop filing bugs telling people to do so. | | Eh? Why should I stop filing bugs about stale vulnerable cruft? Should | it stay in the tree forever (unless some $we_all_know_which_arch dev | wakes up by miracle and moves)? You should focus upon the arch teams, not the maintainers who can't do anything until the arch teams catch up anyway. And are you aware that the mips team spends most of its time trying to catch up with people breaking the tree? If they didn't have to do that, they'd be able to get to the bugs about which you care faster. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Hi, On Sun, Feb 11, 2007 at 07:50:02PM +0100, Jakub Moc wrote: > Eh? Why should I stop filing bugs about stale vulnerable cruft? Should > it stay in the tree forever (unless some $we_all_know_which_arch dev > wakes up by miracle and moves)? If you give away enough usable information, then sure. Though! We have seen that, for example in bug #164182[1], that you filled ended up in a removal of the latest stable version of imagemagick on MIPS. We are currently a heavy understaffed team and we would not like to see this happen! We are an unsupported security architecture so the maintainers can remove anything but our keyword in that package -- that would make sure that the MIPS users will still have a stable tree and the other architectures users wont be affected. Best regards, Alexander [1] https://bugs.gentoo.org/show_bug.cgi?id=164182 -- Alexander Færøy Bugday Lead Alpha/IA64/MIPS Architecture Teams User Relations, Quality Assurance pgpv4yfoSdvi3.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Alexander Færøy napsal(a): > Hi, > > On Sun, Feb 11, 2007 at 07:50:02PM +0100, Jakub Moc wrote: >> Eh? Why should I stop filing bugs about stale vulnerable cruft? Should >> it stay in the tree forever (unless some $we_all_know_which_arch dev >> wakes up by miracle and moves)? > > If you give away enough usable information, then sure. > > Though! We have seen that, for example in bug #164182[1], that you filled > ended up in a removal of the latest stable version of imagemagick on > MIPS. Pardon me, but this is *really* too much. Please, remove the above once 6.3.0.5 has been stabilized on mips. Thanks. :) So, what are you blaming me for here? Grrr. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 21:33:59 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: | So, what are you blaming me for here? Grrr. Misassigning or premature filing, as you prefer. -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Jakub Moc <[EMAIL PROTECTED]> wrote: > Ciaran McCreesh napsal(a): > > | Screaming? WTF really. What's misleading about listing vulnerable > > | versions and asking for their removal? > > > > They can't be removed yet. Stop filing bugs telling people to do so. > > Eh? Why should I stop filing bugs about stale vulnerable cruft? Should > it stay in the tree forever (unless some $we_all_know_which_arch dev > wakes up by miracle and moves)? How about cc'ing arches, which are affected by this? You still get your point across and maybe arches move it up their priority list if they see a removal "b/c of centuries old vulnerabilities". I'm happy with you reporting vulnerable ebuilds and request action on them. However, i agree with mips that breaking their deptree is bad. I know they're working really hard (keep in mind the machines they got) on getting things done. I still don't see the point of removing stable keywords from those ebuilds, though. I'd like to keep the p.mask for this, maybe with mips and other known to lag behind arches unmasking the ebuilds in question. (That would at least say "we're aware that these versions are vulnerable but can't upgrade yet") -- Regards, Matti Bickel Homepage: http://www.rateu.de Encrypted/Signed Email preferred pgpVrHl38VSAl.pgp Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 19:50:02 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: > Won't waste my time on your trollish rants any more. Hehe, whenever you write this, there's always several more posts from you down the same thread. It's kind of amusing. -- Andrej "Ticho" Kacian Gentoo Linux Developer - net-mail, antivirus, sound, x86 signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Ciaran McCreesh napsal(a): > On Sun, 11 Feb 2007 21:33:59 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: > | So, what are you blaming me for here? Grrr. > > Misassigning or premature filing, as you prefer. Oh sure... Next time, blame me for Sept 11, keep amusing us by your bullshit. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
Matti Bickel napsal(a): > How about cc'ing arches, which are affected by this? You still get your > point across and maybe arches move it up their priority list if they see > a removal "b/c of centuries old vulnerabilities". I did CC mips, and did write that it needs version x.y.z stabilized first. Sorry, enough babysitting here, either devs can read or they shouldn't have commit access. Period. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;) signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 22:23:44 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: > Oh sure... Next time, blame me for Sept 11, keep amusing us by your > bullshit. If you like, I can say that you killed Jesus and were single-handedly responsible for the extinction of the dinosaurs. Would that make you happy? -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sun, 11 Feb 2007 21:52:55 +0100 Matti Bickel <[EMAIL PROTECTED]> wrote: | How about cc'ing arches, which are affected by this? You still get | your point across and maybe arches move it up their priority list if | they see a removal "b/c of centuries old vulnerabilities". How about assigning the bug to the people can do the work, rather than to people who can't change a thing until people on the Cc: list are done? For someone who moans about bug spam, Jakub sure is causing a lot of it for other people... -- Ciaran McCreesh Mail: ciaranm at ciaranm.org Web : http://ciaranm.org/ Paludis, the secure package manager : http://paludis.pioto.org/ signature.asc Description: PGP signature
Re: [gentoo-dev] A Gentle Reminder
Stephen Bennett wrote: On Sun, 11 Feb 2007 22:23:44 +0100 Jakub Moc <[EMAIL PROTECTED]> wrote: Oh sure... Next time, blame me for Sept 11, keep amusing us by your bullshit. If you like, I can say that you killed Jesus and were single-handedly responsible for the extinction of the dinosaurs. Would that make you happy? STOP TROLLING! -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] A Gentle Reminder
On Sun, 2007-11-02 at 22:46 +, Stephen Bennett wrote: > On Sun, 11 Feb 2007 22:23:44 +0100 > Jakub Moc <[EMAIL PROTECTED]> wrote: > > > Oh sure... Next time, blame me for Sept 11, keep amusing us by your > > bullshit. > > If you like, I can say that you killed Jesus and were single-handedly > responsible for the extinction of the dinosaurs. Would that make you > happy? Are you implying that he is the One True God ? -- Olivier Crête [EMAIL PROTECTED] Gentoo Developer signature.asc Description: This is a digitally signed message part
[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2007-02-11 23h59 UTC
The attached list notes all of the packages that were added or removed from the tree, for the week ending 2007-02-11 23h59 UTC. Removals: app-emacs/gnuplot-mode 2007-02-05 07:14:16 opfer dev-ada/adabroker 2007-02-05 11:03:57 george dev-games/cel-cvs 2007-02-06 21:41:42 wolf31o2 dev-games/crystalspace-cvs 2007-02-06 21:42:00 wolf31o2 app-i18n/jmode 2007-02-06 23:01:16 flameeyes dev-lisp/cl-arnesi 2007-02-08 13:32:25 opfer dev-lisp/cl-yaclml 2007-02-08 13:43:45 opfer dev-lisp/cl-icu 2007-02-08 13:46:02 opfer dev-lisp/cl-fiveam 2007-02-08 13:46:20 opfer dev-lisp/cl-ucw 2007-02-08 13:47:54 opfer dev-lisp/cl-rfc2109 2007-02-08 13:48:07 opfer sys-fs/submount 2007-02-08 14:35:53 dsd games-server/gta3mta2007-02-08 21:36:58 wolf31o2 games-strategy/freecraft-fcmp 2007-02-09 01:27:40 wolf31o2 app-portage/abeni 2007-02-09 14:11:43 fuzzyray x11-misc/gpasman2007-02-09 20:20:38 nelchael media-libs/openquicktime2007-02-10 16:31:05 flameeyes net-p2p/ww 2007-02-10 17:19:13 armin76 net-p2p/azureus-bin 2007-02-10 21:20:42 betelgeuse app-laptop/macosd 2007-02-11 09:41:15 corsair Additions: dev-ada/glade 2007-02-05 10:35:15 george media-libs/libafterimage2007-02-05 16:00:43 bicatali dev-perl/Return-Value 2007-02-05 19:31:57 mcummings dev-perl/Email-Send 2007-02-05 19:32:59 mcummings dev-perl/Email-MIME-Encodings 2007-02-05 19:46:47 mcummings dev-perl/Email-MessageID2007-02-05 19:49:40 mcummings dev-perl/Email-MIME-ContentType 2007-02-05 19:53:01 mcummings dev-perl/Email-MIME 2007-02-05 19:57:24 mcummings dev-perl/Email-MIME-Modifier2007-02-05 19:58:42 mcummings dev-perl/Email-MIME-Attachment-Stripper 2007-02-05 20:04:18 mcummings dev-perl/Email-Date 2007-02-05 20:11:42 mcummings dev-perl/Email-Simple-Creator 2007-02-05 20:14:19 mcummings dev-perl/Email-MIME-Creator 2007-02-05 20:16:48 mcummings dev-perl/Email-Reply2007-02-05 20:20:05 mcummings sys-block/fwdl 2007-02-06 07:28:39 robbat2 dev-perl/Astro-FITS-Header 2007-02-06 17:40:35 mcummings dev-ml/ocaml-ssl2007-02-06 20:56:28 nattfodd dev-ml/ocaml-expat 2007-02-06 21:26:43 nattfodd games-strategy/coldwar 2007-02-06 23:31:54 wolf31o2 games-arcade/blockrage 2007-02-06 23:48:12 tupone dev-python/pyfits 2007-02-07 11:18:26 bicatali dev-util/ragel 2007-02-07 12:49:40 twp app-doc/lapack-docs 2007-02-07 13:17:28 bicatali app-doc/blas-docs 2007-02-07 16:12:01 bicatali dev-lang/cfortran 2007-02-07 16:41:43 bicatali dev-perl/MLDBM-Sync 2007-02-07 20:45:16 ian games-board/fruit 2007-02-07 23:11:03 tupone app-backup/keep 2007-02-08 09:52:05 drizzt games-arcade/amphetamine2007-02-08 20:50:08 tupone dev-java/cos2007-02-10 19:42:01 nichoj x11-themes/gtk-engines-rezlooks 2007-02-11 03:28:52 compnerd dev-lang/mono-basic 2007-02-11 07:53:52 compnerd games-arcade/supertransball22007-02-11 09:26:34 tupone xfce-extra/gsynaptics-mcs-plugin2007-02-11 19:50:31 drac -- Robin Hugh Johnson Gentoo Linux Developer E-Mail : [EMAIL PROTECTED] GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 Removed Packages: app-emacs/gnuplot-mode,removed,opfer,2007-02-05 07:14:16 dev-ada/adabroker,removed,george,2007-02-05 11:03:57 dev-games/cel-cvs,removed,wolf31o2,2007-02-06 21:41:42 dev-games/crystalspace-cvs,removed,wolf31o2,2007-02-06 21:42:00 app-i18n/jmode,removed,flameeyes,2007-02-06 23:01:16 dev-lisp/cl-arnesi,removed,opfer,2007-02-08 13:32:25 dev-lisp/cl-yaclml,removed,opfer,2007-02-08 13:43:45 dev-lisp/cl-icu,removed,opfer,2007-02-08 13:46:02 dev-lisp/cl-fiveam,removed,opfer,2007-02-08 13:46:20 dev-lisp/cl-ucw,removed,opfer,2007-02-08 13:47:54 dev-lisp/cl-rfc2109,removed,opfer,2007-02-08 13:48:07 sys-fs/submount,removed,dsd,2007-02-08 14:35:53 games-server/gta3mta,removed,wolf31o2,2007-02-08 21:36:58 games-strategy/freecraft-fcmp,removed,wolf31o2,2007-02-09 01:27:40 app-portage/abeni,rem
