[gentoo-dev] URGENT: exotic arches need Qt 4.5.3 stabilization

[gentoo-dev] URGENT: exotic arches need Qt 4.5.3 stabilization

[Ben de Groot]

I am of the opinion it is irresponsible to leave vulnerable versions of Qt with
known security bugs any longer in the tree. The Qt team therefore requests
that arches that have not done so already move quickly on stabilizing Qt
4.5.3, see bug 290922 and 283810.

We plan on REMOVING or at the very least HARDMASKING pending removal
all <=4.5.2 ebuilds by the end of this week. This means that arches that have
not stabilized 4.5.3 would loose their stable Qt4 version.

Please let us know if there is any way in which we can assist arches. We
are aware that some arches are down to one active person. But if there is
no other way, maybe the status of such arches should be reconsidered.

We especially request ppc64 to be marked as an experimental arch, as it
is the worst one lagging in stabilization. See bug 281821 for a poignant
example, a 3 months open security bug.

Regards,
-- 
Ben de Groot
Gentoo Linux developer (qt, media, lxde, desktop-misc)
______________________________________________________

Re: [gentoo-dev] URGENT: exotic arches need Qt 4.5.3 stabilization

[Tobias Klausmann]

Hi! 

On Mon, 09 Nov 2009, Ben de Groot wrote:
> We especially request ppc64 to be marked as an experimental arch, as it
> is the worst one lagging in stabilization. See bug 281821 for a poignant
> example, a 3 months open security bug.

As a side note, don't hesitate to poke me or armin76 if you have
the feeling that anything is lagging because alpha isn't quick
enough. I try to handle security bugs (i.e. "CC: alpha and (CC:
or requestor security@)") first, but in the case of Qt, there
were two bugs, one normal stablereq with CC alpha and security
bug without arch CCs. Thus, it just wasn't on my radar as needing
quick action.

Regards,
Tobias

PS: I assume the "just poke me gently if you think I'm slow" goes
for other arches as far as armin76 is concerned, but I let him
speak for himself.
-- 
printk("Pretending it's a 3/80, but very afraid...\n");
	linux-2.6.19/arch/m68k/sun3x/prom.c

Re: [gentoo-dev] URGENT: exotic arches need Qt 4.5.3 stabilization

[Mart Raudsepp]

[-- Attachment #1: Type: text/plain, Size: 1996 bytes --]

On Mon, 2009-11-09 at 14:33 +0100, Ben de Groot wrote:
> I am of the opinion it is irresponsible to leave vulnerable versions of Qt with
> known security bugs any longer in the tree. The Qt team therefore requests
> that arches that have not done so already move quickly on stabilizing Qt
> 4.5.3, see bug 290922 and 283810.

It is more irresponsible and outright wrong to remove the latest stable
revision of a package for some arches, despite security implications.
Hard masking constitutes the same - the last stable version is not in
stable visibility anymore.

You can however remove the keywords of the arches from older versions
that do have a newer version/revision stable as seen in all profiles.


> We plan on REMOVING or at the very least HARDMASKING pending removal
> all <=4.5.2 ebuilds by the end of this week. This means that arches that have
> not stabilized 4.5.3 would loose their stable Qt4 version.

How do you see this being acceptable for the users of these
architectures? Many of these architectures that are "lagging behind" not
being even security supported architectures.

> Please let us know if there is any way in which we can assist arches. We
> are aware that some arches are down to one active person. But if there is
> no other way, maybe the status of such arches should be reconsidered.

It seems most these arches that are at ~1 person are not security
supported either

> We especially request ppc64 to be marked as an experimental arch, as it
> is the worst one lagging in stabilization. See bug 281821 for a poignant
> example, a 3 months open security bug.

First its security supported status should be considered, not making it
an experimental arch, as that could very well throw it in a backwards
spiral of getting more and more problematic due to repoman iirc not
checking issues with it by default.

-- 
Mart Raudsepp
Gentoo Developer
Mail: leio@gentoo.org
Weblog: http://planet.gentoo.org/developers/leio

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-dev] URGENT: exotic arches need Qt 4.5.3 stabilization

[Joseph Jezak]

Ben de Groot wrote:
> I am of the opinion it is irresponsible to leave vulnerable versions of Qt with
> known security bugs any longer in the tree. The Qt team therefore requests
> that arches that have not done so already move quickly on stabilizing Qt
> 4.5.3, see bug 290922 and 283810.
>
>   
> We plan on REMOVING or at the very least HARDMASKING pending removal
> all <=4.5.2 ebuilds by the end of this week. This means that arches that have
> not stabilized 4.5.3 would loose their stable Qt4 version.
>
>   
It is also irresponsible to punish users by breaking the tree when
arches can't keep up.

> Please let us know if there is any way in which we can assist arches. We
> are aware that some arches are down to one active person. But if there is
> no other way, maybe the status of such arches should be reconsidered.
>
> We especially request ppc64 to be marked as an experimental arch, as it
> is the worst one lagging in stabilization. See bug 281821 for a poignant
> example, a 3 months open security bug.
>   
I'm sorry that we're having a hard time keeping up, but ppc64 has been
primarily supported by ranger in the recent past, with help from time to
time by other devs. He's been busy with real life work and I was unaware
that security bugs were slipping. So, sorry you're annoyed. :p

Perhaps pinging on our IRC channel, or a direct email to the ppc64@
alias might have helped to bring this to our attention sooner,
personally I know that I sometimes gloss over bugzilla emails due to the
high volume of requests the arch team gets (doubled since I also work on
the 32 bit port).

I would be extremely disappointed to see ppc/ppc64 be marked as
experimental. As of now, Gentoo is one of the few distributions that
maintains support for ppc/ppc64 (Fedora recently dropped ppc/ppc64 from
it's primary status, I think it's just us and debian left out of the
major distributions) and I'd be sorry to see that go.

Again, sorry for the delay, QT-4.5.3 has been marked ppc64 stable and
should be good to go after bug #261632 is fixed.
-Joe

Re: [gentoo-dev] URGENT: exotic arches need Qt 4.5.3 stabilization

[Ben de Groot]

Thank you very much for your work on stabling 4.5.3. Sorry I overdid it bit,
I was getting a tad frustrated. I'll try finding the right persons on IRC then,
when I notice bugs going unanswered.

All we need now is hppa.

Cheers,
-- 
Ben de Groot
Gentoo Linux developer (qt, media, lxde, desktop-misc)
______________________________________________________