Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774

[Sergei Trofimovich <slyfox@gentoo.org>]

On Thu, 11 Oct 2018 17:10:10 +0200
Thomas Deutschmann <whissi@gentoo.org> wrote:

> Let me quote https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6f6bb91b7f134a121ef9fa1dd504b9ca52c5aa8:
> 
> > net-dns/dnssec-root: Blind stable on arm, critical bug 667774
> > 
> > Note that this is a major fail for a stable architecture.
> > In addition, all arm devboxes are currently offline.
> > 
> > Bug: https://bugs.gentoo.org/667774
> > Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
> > Package-Manager: Portage-2.3.49, Repoman-2.3.11
> 
> ...and now let's all sit down and enjoy how stable ARM users lose access
> to the Internet and have to figure out how to deactivate DNSSEC to get
> back online. ;]
> 
> Maybe it is time to destabilize ARM on Gentoo to stop the impression
> that we really support ARM.

[ CC: arm@ ]

A few points to think about:

1. I have read this as a direct statement that ARM is not maintained.
   I don't think it is a fair (or constructive) assessment of team's work
   on ARM front.

2. The bug was created less than a week ago and was not communicated
   explicitly as urgent on #gentoo-arm. I see failure to handle the bug
   as a communication failure and not a team's death signal.

   Were there any attempts to reach out to the teams or just arm users?

3. I do not believe arm boxes (or most of users' boxes) update @world weekly
   and restart unbound automatically. Deadline of a few days is not feasible
   to propagate to users quickly. There is frequently no order-of-days response
   from arch teams. It would be nice to have but it's not realistic (IMO).

4. net-dns/dnssec-root is used by a single(ish) package in tree: net-dns/unbound

   Which is: not a system package, not a default package, not suggested by handbook
   package, can operate without DNSSEC enabled.

   While annoying it's not going to lock users out or corrupt their data. I don't
   think state of this package is characteristic of ARM support in Gentoo.

5. net-dns/dnssec-root is a plain-text file package. It should have been ALLARCHES
   stablewithout involvement of arm@.

6. If this package is so important it needs to be stable months before keys expire.
   Then users would have a chance to get the update during casual update. Or
   net-dns/unbound DNSSEC functionality should not be marked stable anywhere
   if package requires periodic manual intervention to just keep working.

-- 

  Sergei