[gentoo-dev] Last rites: media-video/motion

[gentoo-dev] Last rites: media-video/motion

[Aaron Bauman]

# Aaron Bauman <bman@gentoo.org> (26 Jun 2016)
# Unpatched security vulnerability and dead upstream
# per bug #475120.  Removal in 30 days
media-video/motion

[gentoo-dev] Last rites: www-apps/egroupware

[Aaron Bauman]

# Aaron Bauman <bman@gentoo.org> (30 Jun 2016)
# Unpatched security vulnerability per bug #509920.
# Removal in 30 days
www-apps/egroupware

Re: [gentoo-dev] Last rites: www-apps/egroupware

[J. Roeleveld]

On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote:
> # Aaron Bauman <bman@gentoo.org> (30 Jun 2016)
> # Unpatched security vulnerability per bug #509920.
> # Removal in 30 days
> www-apps/egroupware

Why is this bug being used to treeclean egroupware?

Why is bug  461212 not being used to actually resolve the issue?
If I would actually be confident that it would actually be used, I would have 
no issue on trying to get my latest ebuild ( version 14.3.20160525 ) converted 
to the latest standards.

--
Joost

[gentoo-dev] Re: Last rites: www-apps/egroupware

[Duncan]

J. Roeleveld posted on Wed, 06 Jul 2016 20:22:57 +0200 as excerpted:

> On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote:
>> # Aaron Bauman <bman@gentoo.org> (30 Jun 2016)
>> # Unpatched security vulnerability per bug #509920.
>> # Removal in 30 days www-apps/egroupware
> 
> Why is this bug being used to treeclean egroupware?
> 
> Why is bug  461212 not being used to actually resolve the issue?
> If I would actually be confident that it would actually be used, I would
> have no issue on trying to get my latest ebuild ( version 14.3.20160525
> ) converted to the latest standards.

According to equery meta, egroupware has no individual developer 
maintainer and no proxied maintainer, only the webapps project as 
maintainer.  And apparently there, nobody has been specifically 
interested in egroupware, so it has fallen thru the cracks to some 
degree, tho newer versions /may/ be in the webapps-experimental overlay.

Here's the webapps project wiki page:

https://wiki.gentoo.org/wiki/Project:Webapps

That has this to say when discussing the overlay, quote:

Web applications in general tend to be a severe security liability. They 
are designed to communicate with the outside world and need to deal with 
a range of input from the Internet. Since it is often hard for developers 
to foresee all types of malicious input, security flaws are being 
detected rather frequently in the apps we maintain.

To reduce the impact of such incidents while still offering a wide range 
of different web applications, we created a Portage overlay that contains 
ebuilds for applications that we do not want to maintain in the main 
tree. Such applications either lack a developer willing to maintain it in 
Portage or have not been reviewed for security.

The overlay can be found here:
https://cgit.gentoo.org/proj/webapps-experimental.git/

Warning
Please remember that the applications available through the overlay might 
compromise the security of your server!

The overlay is an ideal playground for new developers wishing to join our 
team. Once we see that you are capable of writing ebuilds of reasonable 
quality, we can provide you with commit rights to the overlay.

End quote.


So it's possible newer versions are in the overlay, and they simply 
decided it was too much of a load to keep a version in the tree as well.

If there /aren't/ newer versions in the overlay, presumably it's because 
nobody that has access has been interested in maintaining it in the 
overlay either.


Either way, given your obvious interest, I'd suggest contacting them 
about overlay commit rights, and/or volunteering to be the proxied 
maintainer for this particular package.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: Last rites: www-apps/egroupware

[J. Roeleveld]

On Thursday, July 07, 2016 06:37:09 AM Duncan wrote:
> J. Roeleveld posted on Wed, 06 Jul 2016 20:22:57 +0200 as excerpted:
> > On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote:
> >> # Aaron Bauman <bman@gentoo.org> (30 Jun 2016)
> >> # Unpatched security vulnerability per bug #509920.
> >> # Removal in 30 days www-apps/egroupware
> > 
> > Why is this bug being used to treeclean egroupware?
> > 
> > Why is bug  461212 not being used to actually resolve the issue?
> > If I would actually be confident that it would actually be used, I would
> > have no issue on trying to get my latest ebuild ( version 14.3.20160525
> > ) converted to the latest standards.
> 
> According to equery meta, egroupware has no individual developer
> maintainer and no proxied maintainer, only the webapps project as
> maintainer.  And apparently there, nobody has been specifically
> interested in egroupware, so it has fallen thru the cracks to some
> degree, tho newer versions /may/ be in the webapps-experimental overlay.

I tried contacting the web-apps project directly, but never received a reply.

> Here's the webapps project wiki page:
> 
> https://wiki.gentoo.org/wiki/Project:Webapps
> 
> That has this to say when discussing the overlay, quote:
> 
....
> 
> The overlay can be found here:
> https://cgit.gentoo.org/proj/webapps-experimental.git/

Last commit in 2011.

> Warning
> Please remember that the applications available through the overlay might
> compromise the security of your server!
> 
> The overlay is an ideal playground for new developers wishing to join our
> team. Once we see that you are capable of writing ebuilds of reasonable
> quality, we can provide you with commit rights to the overlay.
> 
> End quote.
> 
> 
> So it's possible newer versions are in the overlay, and they simply
> decided it was too much of a load to keep a version in the tree as well.
> 
> If there /aren't/ newer versions in the overlay, presumably it's because
> nobody that has access has been interested in maintaining it in the
> overlay either.
> 
> Either way, given your obvious interest, I'd suggest contacting them
> about overlay commit rights, and/or volunteering to be the proxied
> maintainer for this particular package.

Is there a way of finding out who are actually in the web-app project and which 
of them would be able and willing to work with me on this and other web 
applications that I actively use?

From the lack of response to the email and lack of updates on the overlay, the 
project seems dead to me.

--
Joost

Re: [gentoo-dev] Re: Last rites: www-apps/egroupware

[Tomas Mozes]

[-- Attachment #1: Type: text/plain, Size: 3107 bytes --]

On Thu, Jul 7, 2016 at 8:50 AM, J. Roeleveld <joost@antarean.org> wrote:

> On Thursday, July 07, 2016 06:37:09 AM Duncan wrote:
> > J. Roeleveld posted on Wed, 06 Jul 2016 20:22:57 +0200 as excerpted:
> > > On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote:
> > >> # Aaron Bauman <bman@gentoo.org> (30 Jun 2016)
> > >> # Unpatched security vulnerability per bug #509920.
> > >> # Removal in 30 days www-apps/egroupware
> > >
> > > Why is this bug being used to treeclean egroupware?
> > >
> > > Why is bug  461212 not being used to actually resolve the issue?
> > > If I would actually be confident that it would actually be used, I
> would
> > > have no issue on trying to get my latest ebuild ( version 14.3.20160525
> > > ) converted to the latest standards.
> >
> > According to equery meta, egroupware has no individual developer
> > maintainer and no proxied maintainer, only the webapps project as
> > maintainer.  And apparently there, nobody has been specifically
> > interested in egroupware, so it has fallen thru the cracks to some
> > degree, tho newer versions /may/ be in the webapps-experimental overlay.
>
> I tried contacting the web-apps project directly, but never received a
> reply.
>
> > Here's the webapps project wiki page:
> >
> > https://wiki.gentoo.org/wiki/Project:Webapps
> >
> > That has this to say when discussing the overlay, quote:
> >
> ....
> >
> > The overlay can be found here:
> > https://cgit.gentoo.org/proj/webapps-experimental.git/
>
> Last commit in 2011.
>
> > Warning
> > Please remember that the applications available through the overlay might
> > compromise the security of your server!
> >
> > The overlay is an ideal playground for new developers wishing to join our
> > team. Once we see that you are capable of writing ebuilds of reasonable
> > quality, we can provide you with commit rights to the overlay.
> >
> > End quote.
> >
> >
> > So it's possible newer versions are in the overlay, and they simply
> > decided it was too much of a load to keep a version in the tree as well.
> >
> > If there /aren't/ newer versions in the overlay, presumably it's because
> > nobody that has access has been interested in maintaining it in the
> > overlay either.
> >
> > Either way, given your obvious interest, I'd suggest contacting them
> > about overlay commit rights, and/or volunteering to be the proxied
> > maintainer for this particular package.
>
> Is there a way of finding out who are actually in the web-app project and
> which
> of them would be able and willing to work with me on this and other web
> applications that I actively use?
>
> From the lack of response to the email and lack of updates on the overlay,
> the
> project seems dead to me.
>
> --
> Joost
>
>
>

It's really sad to see a user wanting to keep up the ebuild and with no
response from the webapps team. I can understand being busy, but by
checking https://bugs.gentoo.org/show_bug.cgi?id=461212 it seems it's a
long-term issue. Joost, please try to contact the proxy maintainers team
and open a pull-request on github for the bump, that may be a way.

Good luck.

[-- Attachment #2: Type: text/html, Size: 4304 bytes --]