Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774

[Thomas Deutschmann <whissi@gentoo.org>]

[-- Attachment #1.1: Type: text/plain, Size: 3571 bytes --]

On 2018-10-12 01:38, Sergei Trofimovich wrote:
>> Maybe it is time to destabilize ARM on Gentoo to stop the impression
>> that we really support ARM.
> 
> [ CC: arm@ ]
> 
> A few points to think about:
> 
> 1. I have read this as a direct statement that ARM is not maintained.
>    I don't think it is a fair (or constructive) assessment of team's work
>    on ARM front.

See the ARM bug queue for stable requests. ARM is always last and behind
since we dropped HPPA.


> 2. The bug was created less than a week ago and was not communicated
>    explicitly as urgent on #gentoo-arm. I see failure to handle the bug
>    as a communication failure and not a team's death signal.
> 
>    Were there any attempts to reach out to the teams or just arm users?

Bug was assigned highest priority in bugzilla. But it looks like ARM arch
team is ignoring set priority.

*I* didn't asked in #gentoo-arm but I pinged project several times in
#gentoo-dev channel.


> 3. I do not believe arm boxes (or most of users' boxes) update @world weekly
>    and restart unbound automatically. Deadline of a few days is not feasible
>    to propagate to users quickly. There is frequently no order-of-days response
>    from arch teams. It would be nice to have but it's not realistic (IMO).
> 
> [...]
> 
> 6. If this package is so important it needs to be stable months before keys expire.
>    Then users would have a chance to get the update during casual update. Or
>    net-dns/unbound DNSSEC functionality should not be marked stable anywhere
>    if package requires periodic manual intervention to just keep working.

Disclaimer: I am not the maintainer of unbound nor dnssec-root package. I took
action last week after I noticed that there was a time bomb ticking and
nobody cared. I fully agree that an updated dnssec-root package could have been
made available one year ago giving everyone enough time...


> 4. net-dns/dnssec-root is used by a single(ish) package in tree: net-dns/unbound
> 
>    Which is: not a system package, not a default package, not suggested by handbook
>    package, can operate without DNSSEC enabled.

Unbound is a popular resolver and many Gentoo users are operating ARM-based
routers. I don't get your point. Of course you could disable DNSSEC and DNS
will resume working. But is this really your point?


>    While annoying it's not going to lock users out or corrupt their data.

Right, it doesn't cause data corruption. But when your Gentoo-based router
will stop working this can be a problem. Don't forget about remote systems.
Again, people who know how to deal with problems like that aren't the
problem. But why do we care about stable packages if we assume that everyone
knows what to do when experiencing problems?


> 5. net-dns/dnssec-root is a plain-text file package. It should have been ALLARCHES
>    stablewithout involvement of arm@.

It wasn't about dnssec-root package. Of course this could have been stabilized
under ALLARCHES policy. It wasn't because package has a new dependency
(>=dev-perl/XML-XPath-1.420.0 + deps) which was lacking stable keywords, too.



If ARM can keep up I am quiet. But please, be honest. We don't need another
HPPA. Nobody will win something if we tell world "ARM is a first class citizen
in Gentoo" when it isn't (anymore). But if people would know it is ~ARCH, we
would not disappoint expectations.


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]