[gentoo-dev] Only you can prevent broken portage trees

[gentoo-dev] Only you can prevent broken portage trees

[Jason Wever]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

Apparently its been too long since I've sent one of these out, as people 
are starting to slip up and break the tree again.

Please triple check what you want to commit and verify that you don't do 
any of the following (which are punishable by death):

1) remove the last ebuild that is keyworded for a given arch, especially
    when resulting in broken dependencies.

2) remove the last stable ebuild for an architecture

3) remove the last testing ebuild for an architecture when there is no
    stable ebuild available after the removal

Consider yourself warned.  Violation of any of these will cause the 
jforman death goat squad to be dispatched to your location for a discreet 
hit.  For repeat offenders, public executions will be had, with Spanky 
hosting.

Thanks :)
- -- 
Jason Wever
Gentoo/Sparc Team Co-Lead
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFRWg1dKvgdVioq28RAj+tAJ4o4sDm3gMHXFJD93p7A3sQfDIjQwCfRGoo
83p8MPbKPzjgbkM0B684l8M=
=hGcH
-----END PGP SIGNATURE-----
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Francesco Riosa]

Jason Wever ha scritto:
> Hi All,
> 
> Apparently its been too long since I've sent one of these out, as people
> are starting to slip up and break the tree again.
> 
> Please triple check what you want to commit and verify that you don't do
> any of the following (which are punishable by death):
> 
> 1) remove the last ebuild that is keyworded for a given arch, especially
>    when resulting in broken dependencies.

http://bugs.gentoo.org/show_bug.cgi?id=149626
I'm going to die then, scheduled on 2006-11-05
If keywording without archs support is only gambling I'll go that route

> 2) remove the last stable ebuild for an architecture
> 
> 3) remove the last testing ebuild for an architecture when there is no
>    stable ebuild available after the removal
> 
> Consider yourself warned.  Violation of any of these will cause the
> jforman death goat squad to be dispatched to your location for a
> discreet hit.  For repeat offenders, public executions will be had, with
> Spanky hosting.
> 
> Thanks :)
> -- Jason Wever
> Gentoo/Sparc Team Co-Lead
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Francesco Riosa]

Francesco Riosa ha scritto:
[...]
> 
> http://bugs.gentoo.org/show_bug.cgi?id=149626
> I'm going to die then, scheduled on 2006-11-05
> If keywording without archs support is only gambling I'll go that route
> 
[...]
Worried that this can cause a flameware I already updated the ebuild:
- it now use the eclass
- the only stable keywords now are those of the arch not having a better
version

please don't tell anyone, I'm really worried it can cause a flamefest.

in the meantime the "~sparc-fbsd" keyword reached the package, very
happy for that :) but I've keyworded DBI and DBD (perl stuff) to satisfy
the deps. Repoman was stil complaining about missin KEY on
'>=perl-core/Sys-Syslog-0.17' '>=dev-perl/PlRPC-0.2' on dev-perl/DBI


ciao,
Francesco
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]

On Sun, Oct 29, 2006 at 07:49:22PM -0700, Jason Wever wrote:
> Please triple check what you want to commit and verify that you don't do 
> any of the following (which are punishable by death):
> 
> 1) remove the last ebuild that is keyworded for a given arch, especially
>    when resulting in broken dependencies.
> 
> 2) remove the last stable ebuild for an architecture
> 
> 3) remove the last testing ebuild for an architecture when there is no
>    stable ebuild available after the removal

To generalize on Francesco's email, how long should developers wait for
minority arches to mark stuff stable, after a security bug, and then a
reminder more than 4 months later? 5 months of no response from the
arches says something is wrong on their side.

I think that usage statistics might point out that there are nobody even
using these specific ebuilds that are proposed for removal.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ferris McCormick]

[-- Attachment #1: Type: text/plain, Size: 1326 bytes --]

On Mon, 2006-10-30 at 00:28 -0800, Robin H. Johnson wrote:
> On Sun, Oct 29, 2006 at 07:49:22PM -0700, Jason Wever wrote:
> > Please triple check what you want to commit and verify that you don't do 
> > any of the following (which are punishable by death):
> > 
> > 1) remove the last ebuild that is keyworded for a given arch, especially
> >    when resulting in broken dependencies.
> > 
> > 2) remove the last stable ebuild for an architecture
> > 
> > 3) remove the last testing ebuild for an architecture when there is no
> >    stable ebuild available after the removal
> 
> To generalize on Francesco's email, how long should developers wait for
> minority arches to mark stuff stable, after a security bug, and then a
> reminder more than 4 months later? 5 months of no response from the
> arches says something is wrong on their side.
> 
I might be mistaken, but I believe sparc responds pretty quickly to
security bugs, either by taking the requested action or by explaining
why the requested action is impossible (i.e., build problems).

> I think that usage statistics might point out that there are nobody even
> using these specific ebuilds that are proposed for removal.
> 

Regards,
-- 
Ferris McCormick (P44646, MI) <fmccor@gentoo.org>
Developer, Gentoo Linux (Devrel, Sparc)


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Carsten Lohrke]

[-- Attachment #1: Type: text/plain, Size: 609 bytes --]

On Monday 30 October 2006 14:23, Ferris McCormick wrote:
> I might be mistaken, but I believe sparc responds pretty quickly to
> security bugs, either by taking the requested action or by explaining
> why the requested action is impossible (i.e., build problems).

Yes, the Sparc team is rather quick - even among security-wise supported 
architectures. None of the archs cc'ed to the bug in question is 
security-wise supported. We communicate this is our vulnerability policy¹ 
page - a bit too hidden for my taste.


Carsten


[1] http://www.gentoo.org/security/en/vulnerability-policy.xml

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 645 bytes --]

On Mon, 30 Oct 2006 00:28:29 -0800 "Robin H. Johnson"
<robbat2@gentoo.org> wrote:
| To generalize on Francesco's email, how long should developers wait
| for minority arches to mark stuff stable, after a security bug, and
| then a reminder more than 4 months later?

Indefinitely. There's no harm leaving ebuilds around.

| 5 months of no response from the arches says something is wrong on
| their side.

Or it tells you where their priorities lie...

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 914 bytes --]

Ciaran McCreesh napsal(a):
> On Mon, 30 Oct 2006 00:28:29 -0800 "Robin H. Johnson"
> <robbat2@gentoo.org> wrote:
> | To generalize on Francesco's email, how long should developers wait
> | for minority arches to mark stuff stable, after a security bug, and
> | then a reminder more than 4 months later?
> 
> Indefinitely. There's no harm leaving ebuilds around.

Joking, right? Who's gonna maintain the vulnerable, broken, dead cruft? You?

> | 5 months of no response from the arches says something is wrong on
> | their side.
> 
> Or it tells you where their priorities lie...

Sure. So they don't need the keywords nor the package.



-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1216 bytes --]

On Mon, 30 Oct 2006 20:09:56 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| Ciaran McCreesh napsal(a):
| > On Mon, 30 Oct 2006 00:28:29 -0800 "Robin H. Johnson"
| > <robbat2@gentoo.org> wrote:
| > | To generalize on Francesco's email, how long should developers
| > | wait for minority arches to mark stuff stable, after a security
| > | bug, and then a reminder more than 4 months later?
| > 
| > Indefinitely. There's no harm leaving ebuilds around.
| 
| Joking, right? Who's gonna maintain the vulnerable, broken, dead
| cruft? You?

If there's any 'maintaining' to be done, they switch to the newer
version. If a herd goes around 'maintaining' old ebuilds on a regular
basis, however, then they're doing something wrong.

| > | 5 months of no response from the arches says something is wrong on
| > | their side.
| > 
| > Or it tells you where their priorities lie...
| 
| Sure. So they don't need the keywords nor the package.

No no. They might need the package, just not necessarily a particular
version.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 763 bytes --]

Ciaran McCreesh napsal(a):
> | > | 5 months of no response from the arches says something is wrong on
> | > | their side.
> | > 
> | > Or it tells you where their priorities lie...
> | 
> | Sure. So they don't need the keywords nor the package.
> 
> No no. They might need the package, just not necessarily a particular
> version.

As you have might have noticed, they already have a newer version
stable. But apparently asking them to respond on a bug within 5 months
is way too much. :P


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

On Mon, 30 Oct 2006 20:50:06 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| Ciaran McCreesh napsal(a):
| > | > | 5 months of no response from the arches says something is
| > | > | wrong on their side.
| > | > 
| > | > Or it tells you where their priorities lie...
| > | 
| > | Sure. So they don't need the keywords nor the package.
| > 
| > No no. They might need the package, just not necessarily a
| > particular version.
| 
| As you have might have noticed, they already have a newer version
| stable. But apparently asking them to respond on a bug within 5 months
| is way too much. :P

Well yes, since there's no clear link between bugs and packages. Things
can get stabled incidentally and for reasons other than the ones in one
particular bug.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 1162 bytes --]

Ciaran McCreesh napsal(a):
> | As you have might have noticed, they already have a newer version
> | stable. But apparently asking them to respond on a bug within 5 months
> | is way too much. :P
> 
> Well yes, since there's no clear link between bugs and packages. Things
> can get stabled incidentally and for reasons other than the ones in one
> particular bug.

Eh? Stabilizing for multiple security issues [1] is "incidental"?!

[1]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1518
http://bugs.gentoo.org/show_bug.cgi?id=132146

What on earth are you talking about here? And why almost 6 months is not
enough for someone to respond on a bug with a simple "we'll only support
newer versions and don't care about MySQL 4.0.x any more, go drop it"?


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1337 bytes --]

On Mon, 30 Oct 2006 21:46:33 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| Ciaran McCreesh napsal(a):
| > | As you have might have noticed, they already have a newer version
| > | stable. But apparently asking them to respond on a bug within 5
| > | months is way too much. :P
| > 
| > Well yes, since there's no clear link between bugs and packages.
| > Things can get stabled incidentally and for reasons other than the
| > ones in one particular bug.
| 
| Eh? Stabilizing for multiple security issues [1] is "incidental"?!

Stabling for multiple local denial of service security issues can be
done incidentally when stabling for a data loss fix (which I'm
not claiming is the case for one particular package, but merely giving
as an example demonstrating what "incidental" means).

| What on earth are you talking about here? And why almost 6 months is
| not enough for someone to respond on a bug with a simple "we'll only
| support newer versions and don't care about MySQL 4.0.x any more, go
| drop it"?

Priorities. The arch teams could be too busy dealing with other bugs
that matter more or too busy dealing with noise bugs.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

Ciaran McCreesh napsal(a):
> | What on earth are you talking about here? And why almost 6 months is
> | not enough for someone to respond on a bug with a simple "we'll only
> | support newer versions and don't care about MySQL 4.0.x any more, go
> | drop it"?
> 
> Priorities. The arch teams could be too busy dealing with other bugs
> that matter more or too busy dealing with noise bugs.

Sorry, taking 1 minute to respond on a bug after being poked for a
couple of months is not a matter of priorities, but mere politeness and
common sense. Seriously, you can't work productively with other people
if they can't be bothered to write one sentence for months.


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1026 bytes --]

On Mon, 30 Oct 2006 22:33:26 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| Ciaran McCreesh napsal(a):
| > | What on earth are you talking about here? And why almost 6 months
| > | is not enough for someone to respond on a bug with a simple
| > | "we'll only support newer versions and don't care about MySQL
| > | 4.0.x any more, go drop it"?
| > 
| > Priorities. The arch teams could be too busy dealing with other bugs
| > that matter more or too busy dealing with noise bugs.
| 
| Sorry, taking 1 minute to respond on a bug after being poked for a
| couple of months is not a matter of priorities, but mere politeness
| and common sense. Seriously, you can't work productively with other
| people if they can't be bothered to write one sentence for months.

There are an awful lot of bugs requiring an awful lot of attention...

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Alec Warner]

Ciaran McCreesh wrote:
> On Mon, 30 Oct 2006 22:33:26 +0100 Jakub Moc <jakub@gentoo.org> wrote:
> | Ciaran McCreesh napsal(a):
> | > | What on earth are you talking about here? And why almost 6 months
> | > | is not enough for someone to respond on a bug with a simple
> | > | "we'll only support newer versions and don't care about MySQL
> | > | 4.0.x any more, go drop it"?
> | > 
> | > Priorities. The arch teams could be too busy dealing with other bugs
> | > that matter more or too busy dealing with noise bugs.
> | 
> | Sorry, taking 1 minute to respond on a bug after being poked for a
> | couple of months is not a matter of priorities, but mere politeness
> | and common sense. Seriously, you can't work productively with other
> | people if they can't be bothered to write one sentence for months.
> 
> There are an awful lot of bugs requiring an awful lot of attention...
> 

I'm actually going to agree with jakub here.  I wouldn't even say they 
need to fix the bug; but just acknowledge that they even read it or paid 
attention or "hey we are working on it" or "hey we don't give a flying 
rats ass."

There is a minimal level of communication that is required between 
groups, otherwise nothing gets done and you *will* get people breaking 
your arch tree or pulling your keywords, because if you having commented 
on the bug ever then most sane people would probably assume you don't care.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1328 bytes --]

On Mon, 30 Oct 2006 18:46:25 -0500 Alec Warner <antarus@gentoo.org>
wrote:
| I'm actually going to agree with jakub here.  I wouldn't even say
| they need to fix the bug; but just acknowledge that they even read it
| or paid attention or "hey we are working on it" or "hey we don't give
| a flying rats ass."
| 
| There is a minimal level of communication that is required between 
| groups, otherwise nothing gets done and you *will* get people
| breaking your arch tree or pulling your keywords, because if you
| having commented on the bug ever then most sane people would probably
| assume you don't care.

The thing is, at any given time there are probably a hundred or more
bugs assigned to arch teams with people whining for attention. At least
two thirds of those whines are unhelpful and serve no purpose.
Filtering out the legitimate calls for attention would take even more
time away from fixing the things.

So, unless you can recruit somebody *good* to let the arch teams know
which bugs should be prioritised, the only thing that increasing
communication would do is decrease the number of bugs that get fixed.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Paweł Madej]

Dnia wtorek, 31 października 2006 01:33, Ciaran McCreesh napisał:
> The thing is, at any given time there are probably a hundred or more
> bugs assigned to arch teams with people whining for attention. At least
> two thirds of those whines are unhelpful and serve no purpose.
> Filtering out the legitimate calls for attention would take even more
> time away from fixing the things.
>
> So, unless you can recruit somebody *good* to let the arch teams know
> which bugs should be prioritised, the only thing that increasing
> communication would do is decrease the number of bugs that get fixed.

I'm not a dev but I suppose i got resolution for that problem. Lets make 
another subproject (don't know how to name it properly) in bugzilla in which 
there will be only bugs affected by security flaw. That bugs will have 
highest priority from every other ones. And devs would have to look at them 
firstly

-- 
Paweł Madej (Nysander)

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 266 bytes --]

On Tuesday 31 October 2006 02:57, Paweł Madej wrote:
> I'm not a dev but I suppose i got resolution for that problem. Lets make
> another subproject (don't know how to name it properly) in bugzilla

you mean like the "Gentoo Security" bugzilla product ?
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Paweł Madej]

[-- Attachment #1: Type: text/plain, Size: 501 bytes --]

Dnia wtorek, 31 października 2006 09:02, Mike Frysinger napisał:
> On Tuesday 31 October 2006 02:57, Paweł Madej wrote:
> > I'm not a dev but I suppose i got resolution for that problem. Lets make
> > another subproject (don't know how to name it properly) in bugzilla
>
> you mean like the "Gentoo Security" bugzilla product ?
> -mike

Yes that could be that - As I checked there are lack of unneeded noise bugs. 
So devs could concentrate on important ones.

-- 
Paweł Madej (Nysander)

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 840 bytes --]

On Tuesday 31 October 2006 03:38, Paweł Madej wrote:
> Dnia wtorek, 31 października 2006 09:02, Mike Frysinger napisał:
> > On Tuesday 31 October 2006 02:57, Paweł Madej wrote:
> > > I'm not a dev but I suppose i got resolution for that problem. Lets
> > > make another subproject (don't know how to name it properly) in
> > > bugzilla
> >
> > you mean like the "Gentoo Security" bugzilla product ?
>
> Yes that could be that - As I checked there are lack of unneeded noise
> bugs. So devs could concentrate on important ones.

sorry, i dont get it

we already have the products available for people to sort arch bugs 
between "stabilize random pkg for fun" and "stabilize random pkg for 
security" ... in fact, the bug e-mails that go out even have headers in them 
so people can filter into different folders
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Paweł Madej]

[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]

Dnia wtorek, 31 października 2006 09:52, Mike Frysinger napisał:
> On Tuesday 31 October 2006 03:38, Paweł Madej wrote:
> > Dnia wtorek, 31 października 2006 09:02, Mike Frysinger napisał:
> > > On Tuesday 31 October 2006 02:57, Paweł Madej wrote:
> > > > I'm not a dev but I suppose i got resolution for that problem. Lets
> > > > make another subproject (don't know how to name it properly) in
> > > > bugzilla
> > >
> > > you mean like the "Gentoo Security" bugzilla product ?
> >
> > Yes that could be that - As I checked there are lack of unneeded noise
> > bugs. So devs could concentrate on important ones.
>
> sorry, i dont get it
>
> we already have the products available for people to sort arch bugs
> between "stabilize random pkg for fun" and "stabilize random pkg for
> security" ... in fact, the bug e-mails that go out even have headers in
> them so people can filter into different folders
> -mike

If there are no such information in emails to which bugzilla product bugreport 
is attached, maybe the solution is to write in bug summary [SECURITY] {SEC] 
or whatever would point that this bug is important?

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

On Tuesday 31 October 2006 04:08, Paweł Madej wrote:
> Dnia wtorek, 31 października 2006 09:52, Mike Frysinger napisał:
> > we already have the products available for people to sort arch bugs
> > between "stabilize random pkg for fun" and "stabilize random pkg for
> > security" ... in fact, the bug e-mails that go out even have headers in
> > them so people can filter into different folders
>
> If there are no such information in emails to which bugzilla product
> bugreport is attached,

i just said *that exact information is already in the e-mail*

X-Bugzilla-Product: Gentoo Security
X-Bugzilla-Severity: enhancement
X-Bugzilla-Keywords: 
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Component: Vulnerabilities
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Paweł Madej]

[-- Attachment #1: Type: text/plain, Size: 999 bytes --]

Dnia wtorek, 31 października 2006 10:17, Mike Frysinger napisał:
> On Tuesday 31 October 2006 04:08, Paweł Madej wrote:
> > Dnia wtorek, 31 października 2006 09:52, Mike Frysinger napisał:
> > > we already have the products available for people to sort arch bugs
> > > between "stabilize random pkg for fun" and "stabilize random pkg for
> > > security" ... in fact, the bug e-mails that go out even have headers in
> > > them so people can filter into different folders
> >
> > If there are no such information in emails to which bugzilla product
> > bugreport is attached,
>
> i just said *that exact information is already in the e-mail*
>
> X-Bugzilla-Product: Gentoo Security
> X-Bugzilla-Severity: enhancement
> X-Bugzilla-Keywords:
> X-Bugzilla-Reason: AssignedTo
> X-Bugzilla-Component: Vulnerabilities
> -mike

I've misunderstood your email. If there are such info I don't have any more 
solution. The rest lies in Dev's mind and behaviour when they got such email.


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[David Shakaryan]

[-- Attachment #1: Type: text/plain, Size: 499 bytes --]

Paweł Madej wrote:
> I'm not a dev but I suppose i got resolution for that problem. Lets make 
> another subproject (don't know how to name it properly) in bugzilla in which 
> there will be only bugs affected by security flaw. That bugs will have 
> highest priority from every other ones. And devs would have to look at them 
> firstly

What's wrong with simply setting high priority or severity on a bug like
you can currently do?

-- 
David Shakaryan
GnuPG Public Key: 0x4B8FE14B


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Paweł Madej]

[-- Attachment #1: Type: text/plain, Size: 1027 bytes --]

Dnia wtorek, 31 października 2006 09:06, David Shakaryan napisał:
> Paweł Madej wrote:
> > I'm not a dev but I suppose i got resolution for that problem. Lets make
> > another subproject (don't know how to name it properly) in bugzilla in
> > which there will be only bugs affected by security flaw. That bugs will
> > have highest priority from every other ones. And devs would have to look
> > at them firstly
>
> What's wrong with simply setting high priority or severity on a bug like
> you can currently do?

From user point of view while I report new bug I can set piority and severity 
to what I want, everybody could. Then bug-wranglers have to point that bug to 
suitable herd/dev so he is informed about a bug. But such bugs as I was said 
before are hundreds. Bugs in Gentoo Security as Mike proposed are lot less, 
so devs could concentrate on them and next go to common bugs category.

I don't know if it is possible to make it so, but I hope I helped a little.

Greets
Paweł Madej (Nysander)

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 631 bytes --]

On Tue, 31 Oct 2006 08:57:01 +0100 Paweł Madej <linux@quanteam.info>
wrote:
| I'm not a dev but I suppose i got resolution for that problem. Lets
| make another subproject (don't know how to name it properly) in
| bugzilla in which there will be only bugs affected by security flaw.
| That bugs will have highest priority from every other ones. And devs
| would have to look at them firstly

Uh, security bugs are not the highest priority.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stuart Herbert]

On 10/31/06, Ciaran McCreesh <ciaranm@ciaranm.org> wrote:
> Uh, security bugs are not the highest priority.

Would it be possible to have some arch team leaders join in this
debate?  Atm, it just seems to be bouncing back and forwards between
package maintainers asking questions, and a Gentoo user filling the
void left by the responses from the arch team folks.

(Or, to put it another way, I'm not sure anyone's actually learning
anything here, except for Ciaran's personal opinions on how he'd like
things to be).

Many thanks,
Stu
--
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 16:36:13 +0100
"Stuart Herbert" <stuart.herbert@gmail.com> wrote:

> Would it be possible to have some arch team leaders join in this
> debate?  Atm, it just seems to be bouncing back and forwards between
> package maintainers asking questions, and a Gentoo user filling the
> void left by the responses from the arch team folks.

Having a system that actually works is usually reckoned to be more
important than patching minor security holes on architectures that
aren't security-supported anyway. On systems that are almost never used
in production or in externally visible roles, security bugs are much
akin to simple enhancements to a package that already works, and fixing
packages that don't work takes precedence.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stuart Herbert]

On 10/31/06, Stephen Bennett <spb@gentoo.org> wrote:
> Having a system that actually works is usually reckoned to be more
> important than patching minor security holes on architectures that
> aren't security-supported anyway. On systems that are almost never used
> in production or in externally visible roles, security bugs are much
> akin to simple enhancements to a package that already works, and fixing
> packages that don't work takes precedence.

Thanks for that.  It's much appreciated.

This leaves package maintainers in the situation that there are
'old'/'insecure'/<insert preferred adjective here> versions of
packages that are hanging around only because arches have fallen
behind.  Package maintainers want to be able to remove these old
versions, but currently cannot because of keywording-lag.

At the moment, it looks like there are a few choices:

1)  Leave the older versions in the tree, even though they are
insecure and possibly/probably no longer supported by package
maintainers.  This keeps minority arches happy at the expense of the
larger group of package maintainers.

2) Or, remove the older versions from the tree after a suitable
waiting period (say, 3 months for arguments sake).  This will keep
package maintainers happy, and our users (less cruft in the tree to
rsync and metadata-cache), but causes real trouble for minority
arches.

3) ??

Best regards,
Stu
--
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 672 bytes --]

On Tue, 31 Oct 2006 17:02:46 +0100 "Stuart Herbert"
<stuart.herbert@gmail.com> wrote:
| 2) Or, remove the older versions from the tree after a suitable
| waiting period (say, 3 months for arguments sake).  This will keep
| package maintainers happy, and our users (less cruft in the tree to
| rsync and metadata-cache), but causes real trouble for minority
| arches.

Users are generally not happy when they see big flashy !!! error
messages when trying to update their systems...

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Roy Marples]

On Tuesday 31 October 2006 16:02, Stuart Herbert wrote:
> 3) ??

Profit????

-- 
Roy Marples <uberlord@gentoo.org>
Gentoo Developer (baselayout, networking)
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 17:02:46 +0100
"Stuart Herbert" <stuart.herbert@gmail.com> wrote:

> 1)  Leave the older versions in the tree, even though they are
> insecure and possibly/probably no longer supported by package
> maintainers.  This keeps minority arches happy at the expense of the
> larger group of package maintainers.

How exactly does this affect package maintainers, apart from the
cosmetic problems of having an old ebuild lying around? As far as I can
see, it doesn't affect the maintenance burden, since if the arch still
using the old version needs a fix present in the newer versions they
can just keyword one of those, and if the fix isn't present it doesn't
much matter which ebuild(s) get it applied.

The original request not to remove an arch's latest stable ebuild seems
reasonable enough to me -- we're not asking package maintainers to
support or update things that they wouldn't otherwise, merely not to be
so hasty about removing them from the tree since they might still be of
use to someone.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Olivier Crete]

On Tue, 2006-31-10 at 17:02 +0100, Stuart Herbert wrote:
> This leaves package maintainers in the situation that there are
> 'old'/'insecure'/<insert preferred adjective here> versions of
> packages that are hanging around only because arches have fallen
> behind.  Package maintainers want to be able to remove these old
> versions, but currently cannot because of keywording-lag.
> [...]
> 3) ??

What about, package maintainers remove all of the other keywords from
said broken version and add a nasty ewarning message to the pkg_postinst
like "this version has a known security problem, dont use it, bitch to
your arch team if you're not happy"...

-- 
Olivier Crête
tester@gentoo.org
Gentoo Developer


-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 458 bytes --]

On Tue, 2006-10-31 at 17:02 +0100, Stuart Herbert wrote:
> 3) ??

Get your hands on some of the minority arch hardware and help out?

Remember that some of the teams in question are sometimes only one or
two people.  In this case, a single developer does make a dramatic
difference.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Diego 'Flameeyes' Pettenò]

[-- Attachment #1: Type: text/plain, Size: 317 bytes --]

On Tuesday 31 October 2006 19:51, Chris Gianelloni wrote:
> Remember that some of the teams in question are sometimes only one or
> two people.
Like x86? :P

-- 
Diego "Flameeyes" Pettenò - http://farragut.flameeyes.is-a-geek.org/
Gentoo/Alt lead, Gentoo/FreeBSD, Video, Sound, ALSA, PAM, KDE, CJK, Ruby ...

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 460 bytes --]

On Tue, 2006-10-31 at 20:06 +0100, Diego 'Flameeyes' Pettenò wrote:
> On Tuesday 31 October 2006 19:51, Chris Gianelloni wrote:
> > Remember that some of the teams in question are sometimes only one or
> > two people.
> Like x86? :P

With Opfer on the team, I think we're at 5 active.

-- 
Chris Gianelloni
Release Engineering Strategic Lead
Alpha/AMD64/x86 Architecture Teams
Games Developer/Council Member/Foundation Trustee
Gentoo Foundation

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stuart Herbert]

Hi Chris,

On 10/31/06, Chris Gianelloni <wolf31o2@gentoo.org> wrote:
> On Tue, 2006-10-31 at 17:02 +0100, Stuart Herbert wrote:
> > 3) ??
>
> Get your hands on some of the minority arch hardware and help out?

It's a good idea.  It's not an option for me, but hopefully others
will follow your advice.

Personally, I like the idea of package maintainers updating old
ebuilds with a prominent warning that the package is known to have
security holes, and then leaving it to the user to decide whether or
not to use the package.  A suitable elog message (pointing the user at
the security bugs in question, and warning them that the package is
now unsupported as a result) in pkg_setup would do the trick.

If there's any interest in this solution, it'd wouldn't take very long
to add a suitable function to the eutils eclass, so that we can
standardise the behaviour.

Of course, it'd be even better if Portage itself could support this,
so that the warning could occur without manual intervention.  But in
the meantime, adding a simple 'einsecure' function would be
sufficient.

Any interest?

Best regards,
Stu
--
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 1126 bytes --]

On Tue, Oct 31, 2006 at 07:51:00PM +0000, Stuart Herbert wrote:
> Hi Chris,
> 
> On 10/31/06, Chris Gianelloni <wolf31o2@gentoo.org> wrote:
> >On Tue, 2006-10-31 at 17:02 +0100, Stuart Herbert wrote:
> >> 3) ??
> >
> >Get your hands on some of the minority arch hardware and help out?
> 
> It's a good idea.  It's not an option for me, but hopefully others
> will follow your advice.
> 
> Personally, I like the idea of package maintainers updating old
> ebuilds with a prominent warning that the package is known to have
> security holes, and then leaving it to the user to decide whether or
> not to use the package.  A suitable elog message (pointing the user at
> the security bugs in question, and warning them that the package is
> now unsupported as a result) in pkg_setup would do the trick.

Rather see the keywords and masking status stripped down to just the 
arches that need that version. 

If folks need insecure ebuilds, cvs exists; trying to stick notices in 
is just an attempt to address a symptom, rather then the cause.

That and notices are pretty damn easy to miss ;)
~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jason Wever]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 31 Oct 2006, Stuart Herbert wrote:

> On 10/31/06, Ciaran McCreesh <ciaranm@ciaranm.org> wrote:
>>  Uh, security bugs are not the highest priority.
>
> Would it be possible to have some arch team leaders join in this
> debate?  Atm, it just seems to be bouncing back and forwards between
> package maintainers asking questions, and a Gentoo user filling the
> void left by the responses from the arch team folks.

Well, lets use an example.  If SPARC had a breakage in the system profile 
and a security bug in say, phpmyadmin, the system profile breakage is 
going to take priority as it impacts every SPARC user's ability to use 
and/or install Gentoo on Linux/SPARC.  However, phpmyadmin impacts a much 
smaller segment of the Gentoo Linux/SPARC user base, so its not as much of 
a problem.

Obviously some of this is going to be relative.  If the security issue was 
a remote unauthorized DoS, buffer overflow resulting in a root shell 
particularly in the system profile packages, then it would probably take 
priority over the latest request to stabilize or add testing keywords to 
random package maintainer's package.

That being said, Gentoo Linux/SPARC normally does try to handle Security 
issues before others if the others aren't critical.

Cheers,
- -- 
Jason Wever
Gentoo/Sparc Team Co-Lead
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFR3IBdKvgdVioq28RArMdAJ49AsBl3DjtA5n22atL7FpY0jYwVACeLeV7
PPBLoaGVvBRWQRh3Qnn1VLs=
=BAvM
-----END PGP SIGNATURE-----
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen P. Becker]

Stuart Herbert wrote:
> On 10/31/06, Ciaran McCreesh <ciaranm@ciaranm.org> wrote:
>> Uh, security bugs are not the highest priority.
> 
> Would it be possible to have some arch team leaders join in this
> debate?  Atm, it just seems to be bouncing back and forwards between
> package maintainers asking questions, and a Gentoo user filling the
> void left by the responses from the arch team folks.

You do realize that Ciaran *was* a member of several arch teams, right?
 I would agree with pretty much everything he has said on this topic.
Perhaps you should consider that the reason that not many arch team
folks have chipped in is because we agree with him.  Don't dismiss his
responses as noise from some random "Gentoo user" who has no idea what
they are talking about.  You should know better then that Stuart.


> (Or, to put it another way, I'm not sure anyone's actually learning
> anything here, except for Ciaran's personal opinions on how he'd like
> things to be).

Or, to put it this way, I'm not sure anyone is actually getting the
point, simply because they would rather stick their heads in the sand
instead of actually listening to something Ciaran has to say.

-Steve
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stuart Herbert]

On 10/31/06, Stephen P. Becker <geoman@gentoo.org> wrote:
> You do realize that Ciaran *was* a member of several arch teams, right?

Of course.  But "was" _is_ the operative word.  It's not like I'm
asking for him to be banned from the Gentoo mailing lists or anything.
 Chill, ffs.

Arch team leaders set policy on this issues, not Ciaran.  It's useful
for developers (especially ones who have joined Gentoo since Ciaran
was expelled) to be clear on what the arch team policies actually are.

>  I would agree with pretty much everything he has said on this topic.
> Perhaps you should consider that the reason that not many arch team
> folks have chipped in is because we agree with him.

All I'm asking is for arch team leaders to say so.  It's hardly
unreasonable or controversial to ask that.

> Don't dismiss his
> responses as noise from some random "Gentoo user" who has no idea what
> they are talking about.  You should know better then that Stuart.

I'm not dismissing his responses.  I'm just asking for arch team
leaders (which is who the questions in this thread were addressed to)
to chip in, tis all.

Which, I'm glad to say, they've been happy to do.

Best regards,
Stu
--
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 17:16:31 +0100
"Stuart Herbert" <stuart.herbert@gmail.com> wrote:

> Arch team leaders set policy on this issues, not Ciaran.

Which they did a long time ago, which he got to know at that time, and
which haven't substantively changed since then. He's as well qualified
as anyone to answer, especially since he's still more closely involved
than many, I would dare say most, current developers in their everyday
activities.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 17:57:06 +0100
Jakub Moc <jakub@gentoo.org> wrote:

> Of course it does... Lots of people can't remove outdated broken cruft
> because $ebuild still depends on something since $arch has been
> slacking for months. Lots of people are forced to maintain outdated
> junk in this way, it's not like it's just sitting there doing nothing.

Did you even read my mail? We're not asking people to maintain old
stuff, just to leave it there as is until a newer one can be tested and
keyworded.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Fernando J. Pereda]

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

On Tue, Oct 31, 2006 at 05:05:21PM +0000, Stephen Bennett wrote:
> On Tue, 31 Oct 2006 17:57:06 +0100
> Jakub Moc <jakub@gentoo.org> wrote:
> 
> > Of course it does... Lots of people can't remove outdated broken cruft
> > because $ebuild still depends on something since $arch has been
> > slacking for months. Lots of people are forced to maintain outdated
> > junk in this way, it's not like it's just sitting there doing nothing.
> 
> Did you even read my mail? We're not asking people to maintain old
> stuff, just to leave it there as is until a newer one can be tested and
> keyworded.

No he didn't, and he probably won't. I've tried to explain this at least
once in #gentoo-qa and he didn't seem to *want+ to understand it.

Maybe we aren't being clear enough...

- ferdy

-- 
Fernando J. Pereda Garcimartín
Gentoo Developer (Alpha,net-mail,mutt,git)
20BB BDC3 761A 4781 E6ED  ED0B 0A48 5B0C 60BD 28D4

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 1313 bytes --]

Stephen Bennett napsal(a):
> On Tue, 31 Oct 2006 17:57:06 +0100
> Jakub Moc <jakub@gentoo.org> wrote:
> 
>> Of course it does... Lots of people can't remove outdated broken cruft
>> because $ebuild still depends on something since $arch has been
>> slacking for months. Lots of people are forced to maintain outdated
>> junk in this way, it's not like it's just sitting there doing nothing.
> 
> Did you even read my mail? We're not asking people to maintain old
> stuff, just to leave it there as is until a newer one can be tested and
> keyworded.

Sure I did... Could you tell me why should we accumulate broken and
vulnerable junk in the tree for years? (Outdated ebuild A depends on
junky outdated ebuild B which depends on crappy, unsupported ebuilds C,
D and E which... )

Either keyword it in a reasonable time or you'll lose the keyword, damn
simple... Can't do it in X months? Sorry, too bad for your arch, the
package is gone and users will rant (or they won't, and then you don't
need the keywords in the first place).


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Fernando J. Pereda]

[-- Attachment #1: Type: text/plain, Size: 979 bytes --]

On Tue, Oct 31, 2006 at 06:18:26PM +0100, Jakub Moc wrote:
> Sure I did... Could you tell me why should we accumulate broken and
> vulnerable junk in the tree for years? (Outdated ebuild A depends on
> junky outdated ebuild B which depends on crappy, unsupported ebuilds C,
> D and E which... )

Thats not the maintainer's problem but the Arch Team's problem so they
are the ones that decide what to do.

> Either keyword it in a reasonable time or you'll lose the keyword, damn
> simple... Can't do it in X months? Sorry, too bad for your arch, the
> package is gone and users will rant (or they won't, and then you don't
> need the keywords in the first place).

No. Arch Teams manage their keywords the way _they_ want not the way YOU
or others that don't work on arch teams want.

It is actually *that* simple.

- ferdy

-- 
Fernando J. Pereda Garcimartín
Gentoo Developer (Alpha,net-mail,mutt,git)
20BB BDC3 761A 4781 E6ED  ED0B 0A48 5B0C 60BD 28D4

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 18:18:26 +0100
Jakub Moc <jakub@gentoo.org> wrote:

> Sure I did... Could you tell me why should we accumulate broken and
> vulnerable junk in the tree for years? (Outdated ebuild A depends on
> junky outdated ebuild B which depends on crappy, unsupported ebuilds
> C, D and E which... )

To avoid breaking the dep tree for users. Quite simple really.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]

Stephen Bennett napsal(a):
> On Tue, 31 Oct 2006 18:18:26 +0100
> Jakub Moc <jakub@gentoo.org> wrote:
> 
>> Sure I did... Could you tell me why should we accumulate broken and
>> vulnerable junk in the tree for years? (Outdated ebuild A depends on
>> junky outdated ebuild B which depends on crappy, unsupported ebuilds
>> C, D and E which... )
> 
> To avoid breaking the dep tree for users. Quite simple really.

Ah. That's apparently much more important than not breaking users by
providing them w/ non-vulnerable, decently uptodate stuff that's not
ridden by tons of bugs. Yup. :P


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 954 bytes --]

On Tue, 31 Oct 2006 18:50:58 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| Stephen Bennett napsal(a):
| > On Tue, 31 Oct 2006 18:18:26 +0100
| > Jakub Moc <jakub@gentoo.org> wrote:
| > 
| >> Sure I did... Could you tell me why should we accumulate broken and
| >> vulnerable junk in the tree for years? (Outdated ebuild A depends
| >> on junky outdated ebuild B which depends on crappy, unsupported
| >> ebuilds C, D and E which... )
| > 
| > To avoid breaking the dep tree for users. Quite simple really.
| 
| Ah. That's apparently much more important than not breaking users by
| providing them w/ non-vulnerable, decently uptodate stuff that's not
| ridden by tons of bugs. Yup. :P

So if it's "ridden by tons of bugs", why did it ever get marked stable?

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Alec Warner]

Ciaran McCreesh wrote:
> On Tue, 31 Oct 2006 18:50:58 +0100 Jakub Moc <jakub@gentoo.org> wrote:
> | Stephen Bennett napsal(a):
> | > On Tue, 31 Oct 2006 18:18:26 +0100
> | > Jakub Moc <jakub@gentoo.org> wrote:
> | > 
> | >> Sure I did... Could you tell me why should we accumulate broken and
> | >> vulnerable junk in the tree for years? (Outdated ebuild A depends
> | >> on junky outdated ebuild B which depends on crappy, unsupported
> | >> ebuilds C, D and E which... )
> | > 
> | > To avoid breaking the dep tree for users. Quite simple really.
> | 
> | Ah. That's apparently much more important than not breaking users by
> | providing them w/ non-vulnerable, decently uptodate stuff that's not
> | ridden by tons of bugs. Yup. :P
> 
> So if it's "ridden by tons of bugs", why did it ever get marked stable?
> 

Sometimes bugs are discovered after a stable marking, such as security 
bugs.  You of all people know how crappy some software developers are at 
releasing bug-free software.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Fernando J. Pereda]

[-- Attachment #1: Type: text/plain, Size: 789 bytes --]

On Tue, Oct 31, 2006 at 07:12:58PM +0100, Jakub Moc wrote:
> Oh well, this apparently doesn't go anywhere, slacking is just
> wonderful, maintainers should just STFU and obey the almighty slacking
> arches, security is the least of a concern and no priority, not
> answering a on bug for half a year makes lots of sense and all is fine
> and dandy. More cruft in the tree for t3h win.

Yeah, we are so slackers that we are able to maintain a whole tree of
keywords with less than 10 persons and less than 10 machines (alpha
example).

You probably want a shell account on a mips/alpha/... machine so you can
start helping, right?

- ferdy

-- 
Fernando J. Pereda Garcimartín
Gentoo Developer (Alpha,net-mail,mutt,git)
20BB BDC3 761A 4781 E6ED  ED0B 0A48 5B0C 60BD 28D4

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 1549 bytes --]

Fernando J. Pereda napsal(a):
> On Tue, Oct 31, 2006 at 07:12:58PM +0100, Jakub Moc wrote:
>> Oh well, this apparently doesn't go anywhere, slacking is just
>> wonderful, maintainers should just STFU and obey the almighty slacking
>> arches, security is the least of a concern and no priority, not
>> answering a on bug for half a year makes lots of sense and all is fine
>> and dandy. More cruft in the tree for t3h win.
> 
> Yeah, we are so slackers that we are able to maintain a whole tree of
> keywords with less than 10 persons and less than 10 machines (alpha
> example).
> 
> You probably want a shell account on a mips/alpha/... machine so you can
> start helping, right?

This whole frickin' debate started when vivo mentioned a bug where noone
from the concerned arches gave a damn for half a year. Not even uttering
a simple "we don't care, punt it" or "we have still an issue with this
and are working on it".

Then ciaranm came w/ his priorities junk, spb joined to fuel the flame
(as always) and then you came horribly offended (for whatever weird
reason) about how I'm daring to dictate some arches how they should do
their job.

OMG how hard is it to post one sentence on such bugs instead of playing
a dead horse? Really, stop this nonsense.



-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Bryan Østergaard]

On Tue, Oct 31, 2006 at 08:42:54PM +0100, Jakub Moc wrote:
> Fernando J. Pereda napsal(a):
> > On Tue, Oct 31, 2006 at 07:12:58PM +0100, Jakub Moc wrote:
> >> Oh well, this apparently doesn't go anywhere, slacking is just
> >> wonderful, maintainers should just STFU and obey the almighty slacking
> >> arches, security is the least of a concern and no priority, not
> >> answering a on bug for half a year makes lots of sense and all is fine
> >> and dandy. More cruft in the tree for t3h win.
> > 
> > Yeah, we are so slackers that we are able to maintain a whole tree of
> > keywords with less than 10 persons and less than 10 machines (alpha
> > example).
> > 
> > You probably want a shell account on a mips/alpha/... machine so you can
> > start helping, right?
> 
> This whole frickin' debate started when vivo mentioned a bug where noone
> from the concerned arches gave a damn for half a year. Not even uttering
> a simple "we don't care, punt it" or "we have still an issue with this
> and are working on it".
> 
> Then ciaranm came w/ his priorities junk, spb joined to fuel the flame
> (as always) and then you came horribly offended (for whatever weird
> reason) about how I'm daring to dictate some arches how they should do
> their job.
> 
> OMG how hard is it to post one sentence on such bugs instead of playing
> a dead horse? Really, stop this nonsense.
Yes please stop your friggin nonsense when you have absolutely no idea
wtf you're talking about. Arch teams are doing everything they can to
keep up with bugs but have to take care of things according to how
important they are to the team in question.

Please go back to bug-wrangling and let the arch teams do their job
without throwing all that garbage at us all the time.

Regards,
Bryan Østergaard
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Seemant Kulleen]

OK kids, settle down for a second and listen to your uncle Seemant.

First, enough with the insults being hurled around!  We don't need
people being called slackers and dumb and stupid and whatever other
creative labels are being developed.  That is absolutely and without a
doubt: non-productive.  The better alternative might be to approach
people with a modicum of respect (swallow the bile).

Second, there's an obvious point of frustration here.  The arch teams
due to being understaffed have a different set of priorities from the
security team and a different set of priorities from the maintainers.
And this is the correct way for these things to be.

Third, the best proposal I've seen here is for developers to get shell
accounts on alternate architectures.  There's quite a few of them
floating around, and I'm pretty sure the arch teams will help you get a
shell on one of the boxes somewhere.  Some of the arches even have shell
boxes for that purpose sitting at OSU or something.  This would work for
at least the console applications (the visual stuff will be a little
trickier).

So, that said, I'm going to have to go with the standard advice that
Gentoo developers give Gentoo users: if you see a problem, help fix it!

Alternatively, there might be reason to have an einsecure() call in
pkg_setup() or something for deprecated versions.

But let me say again: stop acting disrespectfully of each other, or I'm
going to turn this car around and drive us back home, I'm not kidding!

And give me some of that popcorn.

-- 
Seemant Kulleen
Developer, Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Fernando J. Pereda]

[-- Attachment #1: Type: text/plain, Size: 886 bytes --]

On Tue, Oct 31, 2006 at 03:23:00PM -0500, Seemant Kulleen wrote:
> Third, the best proposal I've seen here is for developers to get shell
> accounts on alternate architectures.  There's quite a few of them
> floating around, and I'm pretty sure the arch teams will help you get a
> shell on one of the boxes somewhere.  Some of the arches even have shell
> boxes for that purpose sitting at OSU or something.  This would work for
> at least the console applications (the visual stuff will be a little
> trickier).

Just to add a little thing here:

Arch teams have been using vnc through ssh to test visual stuff like
gnome, kde, xfce and their respective mothers, for years.

So testing visual stuff remotely *is* possible.

- ferdy

-- 
Fernando J. Pereda Garcimartín
Gentoo Developer (Alpha,net-mail,mutt,git)
20BB BDC3 761A 4781 E6ED  ED0B 0A48 5B0C 60BD 28D4

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1128 bytes --]

On Tue, 31 Oct 2006 21:34:13 +0100 "Fernando J. Pereda"
<ferdy@gentoo.org> wrote:
| On Tue, Oct 31, 2006 at 03:23:00PM -0500, Seemant Kulleen wrote:
| > Third, the best proposal I've seen here is for developers to get
| > shell accounts on alternate architectures.  There's quite a few of
| > them floating around, and I'm pretty sure the arch teams will help
| > you get a shell on one of the boxes somewhere.  Some of the arches
| > even have shell boxes for that purpose sitting at OSU or
| > something.  This would work for at least the console applications
| > (the visual stuff will be a little trickier).
| 
| Just to add a little thing here:
| 
| Arch teams have been using vnc through ssh to test visual stuff like
| gnome, kde, xfce and their respective mothers, for years.
| 
| So testing visual stuff remotely *is* possible.

Kind of... You won't, for example, have picked up the endian bug in
urxvt by doing that.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Michael Cummings]

[-- Attachment #1: Type: text/plain, Size: 960 bytes --]

On Tue, 2006-10-31 at 19:47 +0100, Fernando J. Pereda wrote:
> You probably want a shell account on a mips/alpha/... machine so you can
> start helping, right?

Not attempting to join this ruckus - but I'll meekly raise my hand and
say that'd be awesome. I have an account on a mips box, but its
connection to the internet has been unstable in recent months (which I
was warned about ahead of time - that isn't a gripe). As primarily an
ebuild maintainer, I have no qualms about doing the legwork in the scope
that an arch is willing to accept, I just don't have the money and space
to personally house more than a handful of machines at home.
-- 

-----o()o----------------------------------------------
Michael Cummings   |    #gentoo-dev, #gentoo-perl
Gentoo Perl Dev    |    on irc.freenode.net 
Gentoo/SPARC
Gentoo/AMD64
GPG: 0543 6FA3 5F82 3A76 3BF7  8323 AB5C ED4E 9E7F 4E2E
-----o()o----------------------------------------------


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ilya A. Volynets-Evenbakh]

Michael Cummings wrote:
> Not attempting to join this ruckus - but I'll meekly raise my hand and
> say that'd be awesome. I have an account on a mips box, but its
> connection to the internet has been unstable in recent months (which I
> was warned about ahead of time - that isn't a gripe).
Just FYI, there is another box, faster, and running 24x7 which
should be used instead of O2K now. Ping me on IRC for more
info. (Oh, and sign up for the announcements list for those boxes ;-)
>  As primarily an
> ebuild maintainer, I have no qualms about doing the legwork in the scope
> that an arch is willing to accept, I just don't have the money and space
> to personally house more than a handful of machines at home.
>   

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 19:12:58 +0100
Jakub Moc <jakub@gentoo.org> wrote:

> Oh well, this apparently doesn't go anywhere, slacking is just
> wonderful, maintainers should just STFU and obey the almighty slacking
> arches, security is the least of a concern and no priority, not
> answering a on bug for half a year makes lots of sense and all is fine
> and dandy. More cruft in the tree for t3h win.

When you can find a group that can maintain keywords for the entire
tree with fewer than ten people and a similar number of machines
averaging 500-600MHz each (to take alpha as an example), or
approximately three active devs with machines averaging below 300MHz
(mips), then you can accuse the arch teams of slacking.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Stephen Bennett]

On Tue, 31 Oct 2006 18:50:58 +0100
Jakub Moc <jakub@gentoo.org> wrote:

> Ah. That's apparently much more important than not breaking users by
> providing them w/ non-vulnerable, decently uptodate stuff that's not
> ridden by tons of bugs. Yup. :P

You've never worked on an arch team, have you?
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Fernando J. Pereda]

[-- Attachment #1: Type: text/plain, Size: 916 bytes --]

On Tue, Oct 31, 2006 at 06:50:58PM +0100, Jakub Moc wrote:
> Ah. That's apparently much more important than not breaking users by
> providing them w/ non-vulnerable, decently uptodate stuff that's not
> ridden by tons of bugs. Yup. :P

Why do you keep trying to tell arch maintainers how to do their job ? Do
I tell you how to do yours ?

Users of security-supported archs are not affected so what's your point
again ? Assuming you have a valid one, of course, so please don't come
back with that "maintainters don't want to maintain old/broken stuff"
kind of argument.

I'm both an arch-maintainer and ebuild-maintainer and don't see a
problem here... so from your _vast_ experience as both an
ebuild-maintainer and arch-maintainer, what's the problem?

- ferdy

-- 
Fernando J. Pereda Garcimartín
Gentoo Developer (Alpha,net-mail,mutt,git)
20BB BDC3 761A 4781 E6ED  ED0B 0A48 5B0C 60BD 28D4

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1169 bytes --]

On Tue, 31 Oct 2006 17:57:06 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| > How exactly does this affect package maintainers, apart from the
| > cosmetic problems of having an old ebuild lying around? As far as I
| > can see, it doesn't affect the maintenance burden,
| 
| Of course it does... Lots of people can't remove outdated broken cruft
| because $ebuild still depends on something since $arch has been
| slacking for months. Lots of people are forced to maintain outdated
| junk in this way, it's not like it's just sitting there doing nothing.

Uh, dude... If people are maintaining out of date packages, they're
doing something wrong. Old packages, by and large, should *not* be
modified.

| So again, if some arch can't be bothered to answer keywording bugs for
| months, no point in complaining that the maintainer finally gets
| pissed off enough to just punt the last ebuild keyworded for that
| arch.

Simply leaving those ebuilds alone takes no effort.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Paweł Madej]

[-- Attachment #1: Type: text/plain, Size: 786 bytes --]

Dnia wtorek, 31 października 2006 17:04, Stephen P. Becker napisał:
> [snip]
> Don't dismiss his responses as noise from some random "Gentoo user" who has
> no idea what they are talking about.  You should know better then that
> Stuart.  
>
> -Steve

This Random "Gentoo user" as you wrote says no noise but tried to help. From 
your email I read that you're Dev'tha boss and common gentoo user has nothing 
to add, because he is not a dev'tha boss.

This list is public and everyone could write to it if he has something 
important to add so don't dismiss users comments because of that he is not a 
dev. If you don't agree with my proposal ok, but I got a right to write and 
you cannot take it from me.

No flame at all. Just wanna help.

Greets
Paweł Madej

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Steve Dibb]

Ciaran McCreesh wrote:
> On Mon, 30 Oct 2006 22:33:26 +0100 Jakub Moc <jakub@gentoo.org> wrote:
> | Ciaran McCreesh napsal(a):
> | > | What on earth are you talking about here? And why almost 6 months
> | > | is not enough for someone to respond on a bug with a simple
> | > | "we'll only support newer versions and don't care about MySQL
> | > | 4.0.x any more, go drop it"?
> | > 
> | > Priorities. The arch teams could be too busy dealing with other bugs
> | > that matter more or too busy dealing with noise bugs.
> | 
> | Sorry, taking 1 minute to respond on a bug after being poked for a
> | couple of months is not a matter of priorities, but mere politeness
> | and common sense. Seriously, you can't work productively with other
> | people if they can't be bothered to write one sentence for months.
> 
> There are an awful lot of bugs requiring an awful lot of attention...
> 

That does bring up an interesting question though -- at what point do you just 
ignore the arch and move on so that development can continue?

I suppose if you had a nasty security verbump you needed to release, you could 
keyword it yourself, but for everything else, what's the best way to handle 
those if you are perpetually ignored?

Steve
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Roy Marples]

On Tuesday 31 October 2006 14:46, Steve Dibb wrote:
> That does bring up an interesting question though -- at what point do you
> just ignore the arch and move on so that development can continue?

I just ignore the arches these days. After all, they ignore me. dhcp clients 
where modified to be independant of baselayout and arches had stable bugs for 
these.

baselayout-1.12 then went stable even though the required dhcp clients for the 
more obscure arches did not. As of right now, baselayout-1.12 is stable on 
arm, but udhcpc will not work on it unless they use unstable udhcpc.

Another example - kbd-1.12-r8 has a patch to fix loading unimaps, which a user 
submitted patch for console font needs. I've just filed a stable request for 
it even though r7 has got an outstanding stable bug for almost 2 months.

How long should I wait before I wang a fixed consoelfont script into 
baselayout that relies on this?

With all the of the above considered, imagine the irony of me filing a stable 
bug for kbd-1.12-r8 and someone stabling it on sparc :P

-- 
Roy Marples <uberlord@gentoo.org>
Gentoo Developer (baselayout, networking)
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Alec Warner]

Steve Dibb wrote:
> Ciaran McCreesh wrote:
>> On Mon, 30 Oct 2006 22:33:26 +0100 Jakub Moc <jakub@gentoo.org> wrote:
>> | Ciaran McCreesh napsal(a):
>> | > | What on earth are you talking about here? And why almost 6 months
>> | > | is not enough for someone to respond on a bug with a simple
>> | > | "we'll only support newer versions and don't care about MySQL
>> | > | 4.0.x any more, go drop it"?
>> | > | > Priorities. The arch teams could be too busy dealing with 
>> other bugs
>> | > that matter more or too busy dealing with noise bugs.
>> | | Sorry, taking 1 minute to respond on a bug after being poked for a
>> | couple of months is not a matter of priorities, but mere politeness
>> | and common sense. Seriously, you can't work productively with other
>> | people if they can't be bothered to write one sentence for months.
>>
>> There are an awful lot of bugs requiring an awful lot of attention...
>>
> 
> That does bring up an interesting question though -- at what point do 
> you just ignore the arch and move on so that development can continue?
> 
> I suppose if you had a nasty security verbump you needed to release, you 
> could keyword it yourself, but for everything else, what's the best way 
> to handle those if you are perpetually ignored?
> 
> Steve

I picked a random e-mail to reply to.  I don't maintain that many 
packages (maybe 10 or so?).  But if I have a bug (particularly a sec bug 
as in this case) and you haven't stablized it after five months then 
I'll probably just nuke the ebuild and drop your keywords and then 
change the bug title to "$arch got it's keywords dropped".  Now of 
course I'd probably e-mail your alias a couple of times letting on that 
this is my evil plan and to please try and get to my bug.

As an arch team you may not like it; and yeah it kind of sucks.  If you 
want your keyword back there will still be a bug open for it and the 
arch team can always keyword it themselves.

You can ask that we make a good faith attempt to not break the arch 
trees, and I think thats an acceptable request.  But eventually I'm 
going to give up waiting on you.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 616 bytes --]

On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner <antarus@gentoo.org>
wrote:
| I picked a random e-mail to reply to.  I don't maintain that many 
| packages (maybe 10 or so?).  But if I have a bug (particularly a sec
| bug as in this case) and you haven't stablized it after five months
| then I'll probably just nuke the ebuild and drop your keywords

Which is dumb. There's no harm to be had in just leaving the ebuild
there.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 1074 bytes --]

Ciaran McCreesh napsal(a):
> On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner <antarus@gentoo.org>
> wrote:
> | I picked a random e-mail to reply to.  I don't maintain that many 
> | packages (maybe 10 or so?).  But if I have a bug (particularly a sec
> | bug as in this case) and you haven't stablized it after five months
> | then I'll probably just nuke the ebuild and drop your keywords
> 
> Which is dumb. There's no harm to be had in just leaving the ebuild
> there.

Accumulating broken old vulnerable and unsupported junk in tree for the
sole sake of arches that noone cares about enough to keyword something
newer for months harms everyone who uses rsync, wastes disk space for
users, wastes disk space on mirrors, makes CVS and portage slower,
wastes maintainers time... No harm? Nonsense.


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 1257 bytes --]

On Tue, 31 Oct 2006 18:23:49 +0100 Jakub Moc <jakub@gentoo.org> wrote:
| Ciaran McCreesh napsal(a):
| > On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner <antarus@gentoo.org>
| > wrote:
| > | I picked a random e-mail to reply to.  I don't maintain that many 
| > | packages (maybe 10 or so?).  But if I have a bug (particularly a
| > | sec bug as in this case) and you haven't stablized it after five
| > | months then I'll probably just nuke the ebuild and drop your
| > | keywords
| > 
| > Which is dumb. There's no harm to be had in just leaving the ebuild
| > there.
| 
| Accumulating broken old vulnerable and unsupported junk in tree

There is no accumulation. It's already there. And if packages are that
bad, perhaps you should ask yourself why they have a stable keyword at
all.

| for the sole sake of arches that noone cares about enough to keyword
| something newer for months

If you're taking that argument, one could just as easily claim that the
packages should be removed entirely since the arch teams don't care
enough to keyword them.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Jakub Moc]

[-- Attachment #1: Type: text/plain, Size: 1455 bytes --]

Ciaran McCreesh napsal(a):
> | Accumulating broken old vulnerable and unsupported junk in tree
> 
> There is no accumulation. It's already there. And if packages are that
> bad, perhaps you should ask yourself why they have a stable keyword at
> all.

Eh, sure there won't be any accumulation of broken junk _if_ the ebuild
never gets a version bump. (Then it should probably be removed
altogether after a reasonable period of time once it gets broken).
That's not what are we talking about here.

Otherwise, apparently the junk accumulates there. As an example - it's
really wonderful to have 3 KDE slots plus multiple versions for each in
the tree just because some arch team hasn't keyworded/stabilized
anything newer for ages. Makes everything faster and all...

> | for the sole sake of arches that noone cares about enough to keyword
> | something newer for months
> 
> If you're taking that argument, one could just as easily claim that the
> packages should be removed entirely since the arch teams don't care
> enough to keyword them.

See above, perhaps? And, we have some ebuilds without any keywords in
the tree? If we do, then yes, they should be removed.


-- 
Best regards,

 Jakub Moc
 mailto:jakub@gentoo.org
 GPG signature:
 http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E
 Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95  B30F 8717 D5FD CEBA 3D9E

 ... still no signature   ;)


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ferris McCormick]

[-- Attachment #1: Type: text/plain, Size: 1433 bytes --]

On Tue, 2006-10-31 at 18:23 +0100, Jakub Moc wrote:
> Ciaran McCreesh napsal(a):
> > On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner <antarus@gentoo.org>
> > wrote:
> > | I picked a random e-mail to reply to.  I don't maintain that many 
> > | packages (maybe 10 or so?).  But if I have a bug (particularly a sec
> > | bug as in this case) and you haven't stablized it after five months
> > | then I'll probably just nuke the ebuild and drop your keywords
> > 
> > Which is dumb. There's no harm to be had in just leaving the ebuild
> > there.
> 
> Accumulating broken old vulnerable and unsupported junk in tree for the
> sole sake of arches that noone cares about enough to keyword something
> newer for months harms everyone who uses rsync, wastes disk space for
> users, wastes disk space on mirrors, makes CVS and portage slower,
> wastes maintainers time... No harm? Nonsense.
> 
> 
Well, there's a bit more to it than "noone cares about".  Biggest
problem I have seen (although seldom) is when the "fixed" version is
broken for us.  In such cases, we will note the problem on the bug, but
obviously will not keyword the "fixed" version, and we need the old
version until the package maintainer corrects the problem.  Thus, we
have no control over any 5 month, 6 month, forever rule.

Regards,
Ferris
-- 
Ferris McCormick (P44646, MI) <fmccor@gentoo.org>
Developer, Gentoo Linux (Devrel, Sparc)


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Alec Warner]

Ciaran McCreesh wrote:
> On Tue, 31 Oct 2006 11:57:37 -0500 Alec Warner <antarus@gentoo.org>
> wrote:
> | I picked a random e-mail to reply to.  I don't maintain that many 
> | packages (maybe 10 or so?).  But if I have a bug (particularly a sec
> | bug as in this case) and you haven't stablized it after five months
> | then I'll probably just nuke the ebuild and drop your keywords
> 
> Which is dumb. There's no harm to be had in just leaving the ebuild
> there.
> 

I'm just trying to make my life as an ebuild maintainer easier.  This 
means some individuals may file bugs against an old crusty version of a 
package that I maintain because $arch hasn't keyworded a newer version 
yet.  Then I have to tell the user that they are using a crusty old 
version and to use a newer one.  Double bonus if they are actually using 
said $arch and need to keyword the newer version themselves.

I'll admit I've never had to drop keywords on anything thus far; I'm 
merely stating what I would do in such a situation.  Your point prior 
was that you weren't asking maintainers to maintain anything extra, but 
to leave the old ebuilds in place for the given $arches.  The small 
issue is that ebuilds in place imply maintainership; even if it's just 
to tell the user to use a newer version.

On the topic of old ebuilds; situations may arise where a particular 
maintainer is trying to clean out a version of a package but finds that 
$arch doesn't have anything newer stable and thus can't do any sort of 
cleanup for fear of breaking $arch.

You will probably again state that maintainer should just leave the 
older versions around.  I will state that at least as a maintainer I'm 
willing to do so for only a limited period of time.  Otherwise it 
becomes an annoyance when trying to clean up after packages to have 
ebuilds from three or four minor versions ago lying around.

So we disagree on this point.  Thats ok too I think ;)
-Alec Warner
antarus@gentoo.org
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 840 bytes --]

On Tue, 31 Oct 2006 12:30:24 -0500 Alec Warner <antarus@gentoo.org>
wrote:
| I'm just trying to make my life as an ebuild maintainer easier.  This 
| means some individuals may file bugs against an old crusty version of
| a package that I maintain because $arch hasn't keyworded a newer
| version yet.  Then I have to tell the user that they are using a
| crusty old version and to use a newer one.  Double bonus if they are
| actually using said $arch and need to keyword the newer version
| themselves.

Well, if that happens, it increases the priority of keywording the new
version. Because once users start to care, things are more important.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Only you can prevent broken portage trees

[Steve Dibb]

Alec Warner wrote:
> On the topic of old ebuilds; situations may arise where a particular 
> maintainer is trying to clean out a version of a package but finds 
> that $arch doesn't have anything newer stable and thus can't do any 
> sort of cleanup for fear of breaking $arch.
>
> You will probably again state that maintainer should just leave the 
> older versions around.  I will state that at least as a maintainer I'm 
> willing to do so for only a limited period of time.  Otherwise it 
> becomes an annoyance when trying to clean up after packages to have 
> ebuilds from three or four minor versions ago lying around. 

Now this is the exact situation that I'm wondering about.  What's the 
best thing to do?

The only thing I can come up with is, if there's an old ebuild that I 
won't help support / maintain, but it's the latest stable for some arch, 
then remove all the other arch keywords except that one.  At least that 
way, I won't have to worry about people from arches who *are* up to date 
bugging me about it.

I'm not sure that's the best solution though.  I can see the reasoning 
behind "there's a newer stable version anyway, so they shouldn't use the 
old one", but really ... it can get annoying having some "stable 
request" bugs open for a very long time.  If someone wants to donate me 
more hardware, I'll get to working on those. :)

Steve
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Only you can prevent broken portage trees

[Denis Dupeyron]

On 10/30/06, Jason Wever <weeve@gentoo.org> wrote:
> Please triple check what you want to commit and verify that you don't do
> any of the following (which are punishable by death):
>
> 1) remove the last ebuild that is keyworded for a given arch, especially
>     when resulting in broken dependencies.
>
> 2) remove the last stable ebuild for an architecture
>
> 3) remove the last testing ebuild for an architecture when there is no
>     stable ebuild available after the removal
>
> Consider yourself warned.  Violation of any of these will cause the
> jforman death goat squad to be dispatched to your location for a discreet
> hit.  For repeat offenders, public executions will be had, with Spanky
> hosting.

1) Would it be a good idea for repoman to detect these when scanning
for QA issues ?

2) Would it be a good idea for repoman to alert QA (and possibly the
jforman death goat squad) in real time when a dev commits such
violations (and others) ? This could enable other devs to act right
away and avoid havoc to spread too far.

Denis.
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Take this motha to IRC lolz

[Ciaran McCreesh]

[-- Attachment #1: Type: text/plain, Size: 574 bytes --]

On Tue, 31 Oct 2006 10:45:02 -0800 Chris White <chriswhite@gentoo.org>
wrote:
| Alright kids, you've been emailing back and forth since 7AM my time
| in a frequence of about 5 minute intervals.  Just take this motha to
| IRC already.

Please stop adding to the noise with these worthless posts. You've been
doing it a lot lately, and it doesn't contribute anything to the
discussion.

-- 
Ciaran McCreesh
Mail                : ciaranm at ciaranm.org
Web                 : http://ciaranm.org/
as-needed is broken : http://ciaranm.org/show_post.pl?post_id=13


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Take this motha to IRC lolz

[Wernfried Haas]

[-- Attachment #1: Type: text/plain, Size: 823 bytes --]

On Tue, Oct 31, 2006 at 06:53:20PM +0000, Ciaran McCreesh wrote:
> On Tue, 31 Oct 2006 10:45:02 -0800 Chris White <chriswhite@gentoo.org>
> wrote:
> | Alright kids, you've been emailing back and forth since 7AM my time
> | in a frequence of about 5 minute intervals.  Just take this motha to
> | IRC already.
> 
> Please stop adding to the noise with these worthless posts. You've been
> doing it a lot lately, and it doesn't contribute anything to the
> discussion.

Hm, seems -dev is choking under that thread already, i never received
the email you responded to. So perhaps taking it to irc really is a
good idea...

cheers,
	Wernfried

-- 
Wernfried Haas (amne) - amne at gentoo dot org
Gentoo Forums: http://forums.gentoo.org
IRC: #gentoo-forums on freenode - email: forum-mods at gentoo dot org

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]