[gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Samuli Suominen]

[-- Attachment #1: Type: text/plain, Size: 148 bytes --]

You have 24 hours to comment on this news item.  Sorry to put it so
bluntly but this is required for major security bug (#364973).

See attachment.

[-- Attachment #2: 2011-04-26-glib-228.en.txt --]
[-- Type: text/plain, Size: 1047 bytes --]

Title: Upgrade to GLIB 2.28
Author: GNOME Team <gnome@gentoo.org>
Content-Type: text/plain
Posted: 2011-04-26
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: <dev-libs/glib-2.28

The way of setting default URI handlers has changed since dev-libs/glib-2.28 
and above. If you used the GConf registry to set them before, they will now
be ignored.

If you use GNOME, you must upgrade gnome-session and gnome-control-center and 
set your default browser/mail-client again.

If you don't use GNOME, you should ensure that the file
~/.local/share/applications/mimeapps.list has the following content:

[Added Associations]
x-scheme-handler/http=$browser_name.desktop;
x-scheme-handler/https=$browser_name.desktop;
x-scheme-handler/mailto=$mailclient_name.desktop;

Replace $browser_name.desktop and $mailclient_name.desktop with the appropriate
file from /usr/share/applications that can handle http/https/mailto URIs.

Please make sure that your browsers and mail clients have been upgraded to the 
latest stable versions before doing all this.

Re: [gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Alex Alexander]

[-- Attachment #1: Type: text/plain, Size: 1513 bytes --]

On Tue, Apr 26, 2011 at 09:56:06PM +0300, Samuli Suominen wrote:
> You have 24 hours to comment on this news item.  Sorry to put it so
> bluntly but this is required for major security bug (#364973).
> 
> See attachment.

Should be wrapped at 72 chars, but looks good otherwise, thanks :)


> Title: Upgrade to GLIB 2.28
> Author: GNOME Team <gnome@gentoo.org>
> Content-Type: text/plain
> Posted: 2011-04-26
> Revision: 1
> News-Item-Format: 1.0
> Display-If-Installed: <dev-libs/glib-2.28
> 
> The way of setting default URI handlers has changed since dev-libs/glib-2.28 
> and above. If you used the GConf registry to set them before, they will now
> be ignored.
> 
> If you use GNOME, you must upgrade gnome-session and gnome-control-center and 
> set your default browser/mail-client again.
> 
> If you don't use GNOME, you should ensure that the file
> ~/.local/share/applications/mimeapps.list has the following content:
> 
> [Added Associations]
> x-scheme-handler/http=$browser_name.desktop;
> x-scheme-handler/https=$browser_name.desktop;
> x-scheme-handler/mailto=$mailclient_name.desktop;
> 
> Replace $browser_name.desktop and $mailclient_name.desktop with the appropriate
> file from /usr/share/applications that can handle http/https/mailto URIs.
> 
> Please make sure that your browsers and mail clients have been upgraded to the 
> latest stable versions before doing all this.


-- 
Alex Alexander | wired
+ Gentoo Linux Developer
++ www.linuxized.com

[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Alec Warner]

On Tue, Apr 26, 2011 at 12:58 PM, Alex Alexander <wired@gentoo.org> wrote:
> On Tue, Apr 26, 2011 at 09:56:06PM +0300, Samuli Suominen wrote:
>> You have 24 hours to comment on this news item.  Sorry to put it so
>> bluntly but this is required for major security bug (#364973).
>>
>> See attachment.
>
> Should be wrapped at 72 chars, but looks good otherwise, thanks :)
>
>
>> Title: Upgrade to GLIB 2.28
>> Author: GNOME Team <gnome@gentoo.org>
>> Content-Type: text/plain
>> Posted: 2011-04-26
>> Revision: 1
>> News-Item-Format: 1.0
>> Display-If-Installed: <dev-libs/glib-2.28
>>
>> The way of setting default URI handlers has changed since dev-libs/glib-2.28
>> and above. If you used the GConf registry to set them before, they will now
>> be ignored.
>>
>> If you use GNOME, you must upgrade gnome-session and gnome-control-center and
>> set your default browser/mail-client again.
>>
>> If you don't use GNOME, you should ensure that the file
>> ~/.local/share/applications/mimeapps.list has the following content:
>>
>> [Added Associations]
>> x-scheme-handler/http=$browser_name.desktop;
>> x-scheme-handler/https=$browser_name.desktop;
>> x-scheme-handler/mailto=$mailclient_name.desktop;
>>
>> Replace $browser_name.desktop and $mailclient_name.desktop with the appropriate
>> file from /usr/share/applications that can handle http/https/mailto URIs.
>>
>> Please make sure that your browsers and mail clients have been upgraded to the
>> latest stable versions before doing all this.

Can you link to the bug in the news item?

>
>
> --
> Alex Alexander | wired
> + Gentoo Linux Developer
> ++ www.linuxized.com
>

Re: [gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Nirbheek Chauhan]

On Wed, Apr 27, 2011 at 5:41 AM, Alec Warner <antarus@gentoo.org> wrote:
> Can you link to the bug in the news item?
>

Hmmm, not sure how relevant the polkit vulnerability is to the news
item. It's supposed to be about setting mimetype handler information;
not to explain the reason why glib is going stable.


-- 
~Nirbheek Chauhan

Gentoo GNOME+Mozilla Team

[gentoo-dev] Re: RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Duncan]

Samuli Suominen posted on Tue, 26 Apr 2011 21:56:06 +0300 as excerpted:

> You have 24 hours to comment on this news item.  Sorry to put it so
> bluntly but this is required for major security bug (#364973).
> 
> See attachment.
> Title: Upgrade to GLIB 2.28 Author: GNOME Team <gnome@gentoo.org>
> Content-Type: text/plain Posted: 2011-04-26 Revision: 1
> News-Item-Format: 1.0 Display-If-Installed: <dev-libs/glib-2.28
> 
> The way of setting default URI handlers has changed since
> dev-libs/glib-2.28 and above. If you used the GConf registry to set them
> before, they will now be ignored.
> 
> If you use GNOME, you must upgrade gnome-session and
> gnome-control-center and set your default browser/mail-client again.
> 
> If you don't use GNOME, you should ensure that the file
> ~/.local/share/applications/mimeapps.list has the following content:
> 
> [Added Associations]
> x-scheme-handler/http=$browser_name.desktop;
> x-scheme-handler/https=$browser_name.desktop;
> x-scheme-handler/mailto=$mailclient_name.desktop;
> 
> Replace $browser_name.desktop and $mailclient_name.desktop with the
> appropriate file from /usr/share/applications that can handle
> http/https/mailto URIs.
> 
> Please make sure that your browsers and mail clients have been upgraded
> to the latest stable versions before doing all this.

This is unclear.  Should non-gnome users (I'm a kde user) set this to 
prepare for the upgrade, or as a workaround until one actually completes 
the upgrade?

The question comes up, because I'm on 2.28.6, which should be above the 
threshold for the notice, and I have that file in my home dir, but do NOT 
have those entries in it, which the notice appears to imply I should.

Second point:  To clarify, you're asking presumably admin users to set 
this in their homedir config, right?  There's absolutely nothing in the 
proposed news item (and no link with it as a further detail) explaining 
this rather unprecedented tampering with a user's private homedir config, 
nor anything explaining what happens if it isn't done.  Should an admin by 
arbitrary fiat edit the entries for *ALL* users?  Just his own?

If this is intended to be a system level policy edit, why isn't it *AT* 
they system level?  If there is indeed technical reason to go editing 
individual user's homedir configs, then PLEASE make it MUCH CLEARER just 
WHICH user configs need to be edited (presumably all of them), and provide 
some justification, technical or otherwise, why editing the user config is 
the chosen solution.

Note that as I implied above, a further details link is very likely 
appropriate, since news items are normally quite brief, serving in many 
cases more as an alert to check the details elsewhere than a full 
explanation and instructions.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 730 bytes --]

On 15:05 Wed 27 Apr     , Samuli Suominen wrote:
> The way of setting default URI handlers has changed since 
> dev-libs/glib-2.28 and above. If you used the GConf registry to set 
> them before, they will now be ignored.

Do you think all our users will even understand what this means? Can you 
provide a more plain-English explanation, and give specific examples? 
For example:

"The method for setting default applications for specific URI types 
(https://, mailto://, etc.) changed in dev-libs/glib-2.28 and newer. If 
you previously set them in GConf using the Configuration Editor, they 
will now be ignored."

-- 
Thanks,
Donnie

Donnie Berkholz
Sr. Developer, Gentoo Linux
Blog: http://dberkholz.com

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Samuli Suominen]

[-- Attachment #1: Type: text/plain, Size: 280 bytes --]

On 04/26/2011 09:56 PM, Samuli Suominen wrote:
> You have 24 hours to comment on this news item.  Sorry to put it so
> bluntly but this is required for major security bug (#364973).
> 
> See attachment.

Based on some comments posted here, and IRC, here is an updated news item.


[-- Attachment #2: 2011-04-26-glib-228.en.txt --]
[-- Type: text/plain, Size: 1273 bytes --]

Title: Upgrade to GLIB 2.28
Author: GNOME Team <gnome@gentoo.org>
Content-Type: text/plain
Posted: 2011-04-26
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: <dev-libs/glib-2.28

The way of setting default URI handlers has changed since
dev-libs/glib-2.28 and above. If you used the GConf registry to set
them before, they will now be ignored.

If you use GNOME, you must upgrade gnome-session and
gnome-control-center and set your default browser/mail-client again.

If you don't use GNOME, you should ensure that the file
~/.local/share/applications/mimeapps.list has the following content:

[Added Associations]
x-scheme-handler/http=$browser_name.desktop;
x-scheme-handler/https=$browser_name.desktop;
x-scheme-handler/mailto=$mailclient_name.desktop;

Replace $browser_name.desktop and $mailclient_name.desktop with the
appropriate file from /usr/share/applications that can handle
http/https/mailto URIs.

The system-wide version of the file is often at
/usr/share/applications/defaults.list instead.

Please make sure that your browsers and mail clients have been upgraded
to the latest stable versions before doing all this.

More information about using defaults.list and mimeapps.list at:

http://www.freedesktop.org/wiki/Specifications/mime-actions-spec

Re: [gentoo-dev] Re: RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Samuli Suominen]

On 04/27/2011 10:46 AM, Duncan wrote:
> Samuli Suominen posted on Tue, 26 Apr 2011 21:56:06 +0300 as excerpted:
> 
>> You have 24 hours to comment on this news item.  Sorry to put it so
>> bluntly but this is required for major security bug (#364973).
>>
>> See attachment.
>> Title: Upgrade to GLIB 2.28 Author: GNOME Team <gnome@gentoo.org>
>> Content-Type: text/plain Posted: 2011-04-26 Revision: 1
>> News-Item-Format: 1.0 Display-If-Installed: <dev-libs/glib-2.28
>>
>> The way of setting default URI handlers has changed since
>> dev-libs/glib-2.28 and above. If you used the GConf registry to set them
>> before, they will now be ignored.
>>
>> If you use GNOME, you must upgrade gnome-session and
>> gnome-control-center and set your default browser/mail-client again.
>>
>> If you don't use GNOME, you should ensure that the file
>> ~/.local/share/applications/mimeapps.list has the following content:
>>
>> [Added Associations]
>> x-scheme-handler/http=$browser_name.desktop;
>> x-scheme-handler/https=$browser_name.desktop;
>> x-scheme-handler/mailto=$mailclient_name.desktop;
>>
>> Replace $browser_name.desktop and $mailclient_name.desktop with the
>> appropriate file from /usr/share/applications that can handle
>> http/https/mailto URIs.
>>
>> Please make sure that your browsers and mail clients have been upgraded
>> to the latest stable versions before doing all this.
> 
> This is unclear.  Should non-gnome users (I'm a kde user) set this to 
> prepare for the upgrade, or as a workaround until one actually completes 
> the upgrade?

It's a permanent thing... I think the item is clear on that... "The
default way has changed", no where implying this would go away or be
temporary, or a workaround

The KDE desktop should set those mime's already, if you have selected
default browser/mailclient from the desktops GUI apps. If not, file a
bug for the KDE people.

> The question comes up, because I'm on 2.28.6, which should be above the 
> threshold for the notice, and I have that file in my home dir, but do NOT 
> have those entries in it, which the notice appears to imply I should.

The news item is targeted for stable users... presumably ~arch users
know what they are doing.   Hence the Display-If-Installed.

> 
> Second point:  To clarify, you're asking presumably admin users to set 
> this in their homedir config, right?  There's absolutely nothing in the 
> proposed news item (and no link with it as a further detail) explaining 
> this rather unprecedented tampering with a user's private homedir config, 
> nor anything explaining what happens if it isn't done.  Should an admin by 
> arbitrary fiat edit the entries for *ALL* users?  Just his own?
> 
> If this is intended to be a system level policy edit, why isn't it *AT* 
> they system level?  If there is indeed technical reason to go editing 
> individual user's homedir configs, then PLEASE make it MUCH CLEARER just 
> WHICH user configs need to be edited (presumably all of them), and provide 
> some justification, technical or otherwise, why editing the user config is 
> the chosen solution.
> 
> Note that as I implied above, a further details link is very likely 
> appropriate, since news items are normally quite brief, serving in many 
> cases more as an alert to check the details elsewhere than a full 
> explanation and instructions.
> 

Addressed the system-wide vs. user defined issue in the new draft
(responded to the original post of this thread with it).
Has a link now too.

[gentoo-dev] Re: RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Duncan]

Samuli Suominen posted on Wed, 27 Apr 2011 15:17:57 +0300 as excerpted:

> On 04/27/2011 10:46 AM, Duncan wrote:
>> Samuli Suominen posted on Tue, 26 Apr 2011 21:56:06 +0300 as excerpted:
>> 
>>> You have 24 hours to comment on this news item.  Sorry to put it so
>>> bluntly but this is required for major security bug (#364973).
>> 
>> This is unclear.  Should non-gnome users (I'm a kde user) set this to
>> prepare for the upgrade, or as a workaround until one actually
>> completes the upgrade?
> 
> It's a permanent thing... I think the item is clear on that... "The
> default way has changed", no where implying this would go away or be
> temporary, or a workaround

FWIW, yes, the "default way has changed" bit was clear.  It simply wasn't 
(and remains not in the updated news item itself, but there's a link with 
more info now...) immediately clear how the config changes we were being 
asked to do related to that... in part because of the user vs. system 
question.

But the updated version is all around better.

> The KDE desktop should set those mime's already, if you have selected
> default browser/mailclient from the desktops GUI apps. If not, file a
> bug for the KDE people.

Yes. I found the settings in the system-wide file.  I've had no reason to 
change them from system defaults, so they weren't in the user config, only 
the system config.  The new version allows that information to be 
discovered far easier. =:^)

> The news item is targeted for stable users... presumably ~arch users
> know what they are doing.   Hence the Display-If-Installed.

To the extent that everything seems to be working, yes.

However, in the context of a security bump with instructions for config 
entries I don't see, that I don't fully understand the significance of and 
with no link to further details, as I suppose most admins, I start asking 
questions!

> Addressed the system-wide vs. user defined issue in the new draft
> (responded to the original post of this thread with it).
> Has a link now too.

Indeed.  Much /much/ better now. =:^)

Thanks! =:^)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Re: RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Samuli Suominen]

On 04/27/2011 03:46 PM, Duncan wrote:
> [ .. ]

Just to make it clear: The only relationship this news item has to the
security bump is the fact that the unvulnerable polkit is just needing
newer glib as a dependency for other reasons

Re: [gentoo-dev] RFC: 24 hour review for >= dev-libs/glib-2.28 stable news item

[Samuli Suominen]

On 04/27/2011 11:13 AM, Donnie Berkholz wrote:
> On 15:05 Wed 27 Apr     , Samuli Suominen wrote:
>> The way of setting default URI handlers has changed since 
>> dev-libs/glib-2.28 and above. If you used the GConf registry to set 
>> them before, they will now be ignored.
> 
> Do you think all our users will even understand what this means? Can you 
> provide a more plain-English explanation, and give specific examples? 
> For example:
> 
> "The method for setting default applications for specific URI types 
> (https://, mailto://, etc.) changed in dev-libs/glib-2.28 and newer. If 
> you previously set them in GConf using the Configuration Editor, they 
> will now be ignored."
> 

Maybe I expect too much from people... I changed it to the way you put
it, works just as fine.

Also the news item is now committed, a bit sooner than 24 hours but
close enough

Now arch teams can move forward with the security bug, it's A1 Critical
afterall