public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild
       [not found] <20100816180452.5D7632CE15@corvid.gentoo.org>
@ 2010-08-17  6:46 ` Peter Volkov
  2010-08-17  9:27   ` Alex Legler
  0 siblings, 1 reply; 5+ messages in thread
From: Peter Volkov @ 2010-08-17  6:46 UTC (permalink / raw
  To: gentoo-dev, alexxy

В Пнд, 16/08/2010 в 18:04 +0000, Alexey Shvetsov (alexxy) пишет:
> alexxy      10/08/16 18:04:52
> 
>   Modified:             ChangeLog
>   Added:                drupal-5.23.ebuild drupal-6.19.ebuild
>   Removed:              drupal-6.16.ebuild drupal-6.17.ebuild
>                         drupal-5.22.ebuild
>   Log:
>   [www-apps/drupal] Version bump

Always reference bug number and mention people that spent time reporting
problems in our bugzilla. Please, add bug # and attribution into
ChangeLog. Also with version bump it's always good idea to keep previous
version to allow re-installation of previous versions in the case of
regressions.

https://bugs.gentoo.org/show_bug.cgi?id=323399

-- 
Peter.





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild
  2010-08-17  6:46 ` [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild Peter Volkov
@ 2010-08-17  9:27   ` Alex Legler
  2010-08-17 11:57     ` Alexey Shvetsov
  2010-08-17 12:11     ` Peter Volkov
  0 siblings, 2 replies; 5+ messages in thread
From: Alex Legler @ 2010-08-17  9:27 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1233 bytes --]

On Tue, 17 Aug 2010 10:46:10 +0400, Peter Volkov <pva@gentoo.org> wrote:

> В Пнд, 16/08/2010 в 18:04 +0000, Alexey Shvetsov (alexxy) пишет:
> > alexxy      10/08/16 18:04:52
> > 
> >   Modified:             ChangeLog
> >   Added:                drupal-5.23.ebuild drupal-6.19.ebuild
> >   Removed:              drupal-6.16.ebuild drupal-6.17.ebuild
> >                         drupal-5.22.ebuild
> >   Log:
> >   [www-apps/drupal] Version bump
> 
> Always reference bug number and mention people that spent time
> reporting problems in our bugzilla. Please, add bug # and attribution
> into ChangeLog. Also with version bump it's always good idea to keep
> previous version to allow re-installation of previous versions in the
> case of regressions.
> 
> https://bugs.gentoo.org/show_bug.cgi?id=323399
> 

That's rather https://bugs.gentoo.org/show_bug.cgi?id=332541

I agree that the bug # should be referenced, but as for removing the
old versions, that's something we usually ask people to do after
bumping packages with security issues to minimize the risk of people
installing possibly vulnerable versions.

-- 
Alex Legler | Gentoo Security / Ruby
a3li@gentoo.org | a3li@jabber.ccc.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild
  2010-08-17  9:27   ` Alex Legler
@ 2010-08-17 11:57     ` Alexey Shvetsov
  2010-08-17 12:11     ` Peter Volkov
  1 sibling, 0 replies; 5+ messages in thread
From: Alexey Shvetsov @ 2010-08-17 11:57 UTC (permalink / raw
  To: gentoo-dev

Ok =)

Next time i'll add bug numbers =) Actualy i simply forgot about them.

2010/8/17 Alex Legler <a3li@gentoo.org>:
> On Tue, 17 Aug 2010 10:46:10 +0400, Peter Volkov <pva@gentoo.org> wrote:
>
>> В Пнд, 16/08/2010 в 18:04 +0000, Alexey Shvetsov (alexxy) пишет:
>> > alexxy      10/08/16 18:04:52
>> >
>> >   Modified:             ChangeLog
>> >   Added:                drupal-5.23.ebuild drupal-6.19.ebuild
>> >   Removed:              drupal-6.16.ebuild drupal-6.17.ebuild
>> >                         drupal-5.22.ebuild
>> >   Log:
>> >   [www-apps/drupal] Version bump
>>
>> Always reference bug number and mention people that spent time
>> reporting problems in our bugzilla. Please, add bug # and attribution
>> into ChangeLog. Also with version bump it's always good idea to keep
>> previous version to allow re-installation of previous versions in the
>> case of regressions.
>>
>> https://bugs.gentoo.org/show_bug.cgi?id=323399
>>
>
> That's rather https://bugs.gentoo.org/show_bug.cgi?id=332541
>
> I agree that the bug # should be referenced, but as for removing the
> old versions, that's something we usually ask people to do after
> bumping packages with security issues to minimize the risk of people
> installing possibly vulnerable versions.
>
> --
> Alex Legler | Gentoo Security / Ruby
> a3li@gentoo.org | a3li@jabber.ccc.de
>



-- 
Best Regards,
Alexey 'Alexxy' Shvetsov
Petersburg Nuclear Physics Institute, Russia
Department of Molecular and Radiation Biophysics
Gentoo Team Ru
Gentoo Linux Dev
mailto:alexxyum@gmail.com
mailto:alexxy@gentoo.org
mailto:alexxy@omrb.pnpi.spb.ru



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild
  2010-08-17  9:27   ` Alex Legler
  2010-08-17 11:57     ` Alexey Shvetsov
@ 2010-08-17 12:11     ` Peter Volkov
  2010-08-17 16:30       ` Alex Legler
  1 sibling, 1 reply; 5+ messages in thread
From: Peter Volkov @ 2010-08-17 12:11 UTC (permalink / raw
  To: gentoo-dev

В Втр, 17/08/2010 в 11:27 +0200, Alex Legler пишет:
> but as for removing the old versions, that's something we usually ask
> people to do after bumping packages with security issues to minimize
> the risk of people installing possibly vulnerable versions.

I agree with removal but not immediately. Personally I already had
issues with another web application: it worked in my installation, but
people were unable to use it after security fix. Since having vulnerable
but working installation is better then "fixed" but broken, I'd rather
always kept old versions for some time. Also it's not a big problem to
have old versions in the tree since you have to specify version number
explicitly to install them...

-- 
Peter.




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild
  2010-08-17 12:11     ` Peter Volkov
@ 2010-08-17 16:30       ` Alex Legler
  0 siblings, 0 replies; 5+ messages in thread
From: Alex Legler @ 2010-08-17 16:30 UTC (permalink / raw
  To: gentoo-dev

[-- Attachment #1: Type: text/plain, Size: 1292 bytes --]

On Tue, 17 Aug 2010 16:11:42 +0400, Peter Volkov <pva@gentoo.org> wrote:

> В Втр, 17/08/2010 в 11:27 +0200, Alex Legler пишет:
> > but as for removing the old versions, that's something we usually
> > ask people to do after bumping packages with security issues to
> > minimize the risk of people installing possibly vulnerable versions.
> 
> I agree with removal but not immediately. Personally I already had
> issues with another web application: it worked in my installation, but
> people were unable to use it after security fix.

In that case: Reopen the bug and inform us. Besides, you should only
get issues when dealing with ~arch ebuilds as they're not tested. But
that's what you get for using testing. *shrug*

> Since having
> vulnerable but working installation is better then "fixed" but
> broken,

No offense, but that's just naive.

> I'd rather always kept old versions for some time. 

Use a local overlay then.

> Also it's
> not a big problem to have old versions in the tree since you have to
> specify version number explicitly to install them...
> 

You obviously haven't been in our support venues and seen what some
people are able to do...

-- 
Alex Legler | Gentoo Security / Ruby
a3li@gentoo.org | a3li@jabber.ccc.de

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2010-08-17 16:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <20100816180452.5D7632CE15@corvid.gentoo.org>
2010-08-17  6:46 ` [gentoo-dev] Re: [gentoo-commits] gentoo-x86 commit in www-apps/drupal: drupal-5.23.ebuild ChangeLog drupal-6.19.ebuild drupal-6.16.ebuild drupal-6.17.ebuild drupal-5.22.ebuild Peter Volkov
2010-08-17  9:27   ` Alex Legler
2010-08-17 11:57     ` Alexey Shvetsov
2010-08-17 12:11     ` Peter Volkov
2010-08-17 16:30       ` Alex Legler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox