| Summary: | Notice of intention to start dropping ppc-macos stable keywords | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | solar (RETIRED) <solar> |
| Component: | Vulnerabilities | Assignee: | Gentoo for Mac OS X <ppc-macos> |
| Status: | RESOLVED FIXED | ||
| Severity: | critical | CC: | ferringb, flameeyes, jakub, jforman, ndimiduk |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | PPC | ||
| OS: | OS X | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
solar (RETIRED)
2006-05-22 20:45:21 UTC
An example of a user who has been attempting to help your arch. http://tinyurl.com/h4tjy without much apparent success. But what matters the most is that this arch is brought to current for security bugs or we have to go the route of comment #0 (In reply to comment #1) > But what matters the most is that this arch is brought to current for > security bugs or we have to go the route of comment #0 > Do we have a list of the packages that would need to be marked? As I said, I would like to give them the opportunity to get caught up before we start having to pull keywords so we can move forward, unless the macos team doesn't care to get caught up. (In reply to comment #2) > (In reply to comment #1) > > But what matters the most is that this arch is brought to current for > > security bugs or we have to go the route of comment #0 > > > > Do we have a list of the packages that would need to be marked? "The Entire Tree" > As I said, I would like to give them the opportunity to get caught up before > we start having > to pull keywords so we can move forward, unless the macos team doesn't care to > get caught up. The word on the channel is that they probably wont care. And this bug only serves to make the process of dropping keywords official. OSX seems to be in a semi limbo mode right now working on prefix stuff. It it my understanding from talking with several people on the #-osx channel that osx is openly saying it's stance is to ignore keywording bugs. The real intention here is to clean up the following list which applies to all arches. It's just that we can't do any cleaning as long as these old/vuln ebuilds remain in the tree. http://gentooexperimental.org/~ferringb/reports/tree-vulnerabilities.log While I agree that I may have gotten behind, I certainly think that I tried to solve all security bugs that bugzilla would tell me of. Also, I intend to stable everything people ask for, if I can. It is true that I don't really work hard on getting new packages keyworded ~ppc-macos, but I don't see why that is an issue for you. It seems like a separate issue to me. The Bug list you posted is the list of bugs by Dirk Schoenberger which all require to add a keyword, not to stable it. Since I cannot "just" keyword whatever he asks, because he doesn't test all flags and dependencies and whatever, I'm sorry that I didn't handle all of his bugs. Not that I have anything to say, so do whatever you think is necessary. Have a nice day. Fabian, how much needed are _stable_ keywords for ppc-macos in tree right now? It might be simpler to just have ~ppc-macos until there's enough people to handle them. It would be simpler once prefix is all deployed, but right now it seems like unless you can find more help for stable keywording, you're going to lag behind no matter what. Also it would make sense for .indev profiles to be just ~arch from a theorical POV. I would say not to be hasty, give some time for Gentoo for Mac OS X team to find helpers, one week or two, and then see what happens. If there will be interest in this, it wouldn't be good to get all removed. I'd like to see the same done for mips: http://tinyurl.com/nwcfg - Better said, not only drop stable keywords, but drop mips keywords altogether where there's total lack of participation. This one is an outstanding example how things should not be done: Bug 86085 (In reply to comment #5) > Fabian, how much needed are _stable_ keywords for ppc-macos in tree right now? Not really, we mainly have to keep them in order to avoid problems with dropped keywords. > It might be simpler to just have ~ppc-macos until there's enough people to > handle them. I mainly maintained ppc-macos stable because there are some stable users (myself included) out there. > It would be simpler once prefix is all deployed, but right now it > seems like unless you can find more help for stable keywording, you're going to > lag behind no matter what. I certainly see dropping the full tree to ~ppc-macos as an option. We decided not to do this when we discussed this because of above mentioned reasons. However, if there are serious problems out there, I will cooperate, as my target has always been to be much less of a pain in the *** to the other groups. I obviously failed in that, it seems. > If there will be > interest in this, it wouldn't be good to get all removed. I second that. It would be a pity if all work would get removed from the tree. I will look through the security list of Brian tonight to see where we are blocking, and at least solve those issues. I you could look them over that would be even better. Here is a list for you to review glsa wise. It's not as bad I thought. Note all packages in this list are not keyworded stable ppc-macos app-crypt/gnupg app-text/pdftohtml app-text/tetex dev-lang/perl dev-lang/ruby games-roguelike/nethack media-gfx/imagemagick media-gfx/pngcrush media-gfx/xv media-libs/tiff media-sound/gnump3d media-sound/mpg321 media-video/ffmpeg net-libs/gnutls net-misc/curl net-misc/rsync sys-apps/texinfo www-client/lynx x11-libs/openmotif I'm not sure how well I filtered them down but mainly these are the pkgs in question. 'gnupg lynx openmotif tetex tiff xv' right now Now those two lists come a lot closer to my conception of the situation than the initial posts suggested. I will look at the lists tonight for sure. Grobian has been doing a fine job keeping up with security keywording requests -- squashing bugs before I see the email. Most of this team's active efforts are going into prefix right now, so I think it makes sense to keep the main tree ~ppc-macos and drop our keyword from security-risk packages rather than stabilizing their successors. While I think the initial "intention" of this bug has changed somewhat, I still like to make a remark here. If I look at GnuPG, then I think this is the bug that belonged to the stable request: http://bugs.gentoo.org/show_bug.cgi?id=122721 There is no ppc-macos on there, which means we're just left out. You can't expect us to stable packages if we're not CC'ed. I feel this happens a lot, especially after our arch was dropped from the add-arch list for I don't know reason, but it was too difficult to add us back. With that in mind, we don't even get a fair chance to try and make our presence in the tree as harmless as possible for others. Some more searching and changelog sniffing, reveals there was another security thing: http://bugs.gentoo.org/show_bug.cgi?id=125217 Thierry mentions us, but we are not CC'ed. I went through your list, and fixed where appropriately (thanks for the list by the way!): app-crypt/gnupg-1.4.2.2 ppc-macos stable app-text/pdftohtml-0.36-r4 all ~ppc-macos app-text/tetex-2.0.2-r8 ppc-macos stable dev-lang/perl-5.8.7-r3 all ~ppc-macos (and masked) dev-lang/ruby-1.8.4-r1 all ~ppc-macos (and masked) games-roguelike/nethack-3.4.3-r1 all (the only one, actually) ~ppc-macos media-gfx/imagemagick-6.2.5.5 all ~ppc-macos media-gfx/pngcrush-1.5.10 all ~ppc-macos media-gfx/xv-3.10a-r12 ppc-macos stable media-libs/tiff-3.7.3 ppc-macos stable (http://bugs.gentoo.org/show_bug.cgi?id=91584 we never got called) media-sound/gnump3d-2.9.7-r1 all ~ppc-macos media-sound/mpg321-0.2.10-r2 all ~ppc-macos media-video/ffmpeg-0.4.9_p20051216 all ~ppc-macos net-libs/gnutls-1.2.10 all ~ppc-macos net-misc/curl-7.15.1-r1 all ~ppc-macos (and masked) net-misc/rsync-2.6.8-r2 all ~ppc-macos (and masked) sys-apps/texinfo-4.8-r2 all ~ppc-macos www-client/lynx-2.8.5-r2 just ppc-macos stable(!) x11-libs/openmotif-2.2.3-r8 just ppc-macos stable(!) Because I fixed all problems where this was a problem, I deem this bug resolved and fixed. Reopen if you disagree or send mail to gentoo-osx@list.g.o. (In reply to comment #11) > Most of this team's active efforts are going into prefix right now, so I think > it makes sense to keep the main tree ~ppc-macos and drop our keyword from > security-risk packages rather than stabilizing their successors. I see no reasons to drop keywords at the moment. That makes me add this: if you want some ppc-macos thing to be solved, just file a bug. As long as I am allowed to be around, you will get at least an answer. Thanks. Security Team. See comment #12 What can we do to help OSX out here? First of all, it would be nice if ppc-macos can be added to the neat add-arches box in the top right because i'm a lazy slacker. If ppc-macos slipped through when CCing arches to stable, all I can say is that I'm sorry and that I'll try to pay special attention in the future. But also note that we only call arches that had a vulnerable stable version and a lot of ppc-macos packages seem the be ~ only, so we intentionally didnt CC them in these cases (seems like gpg packages had a stable version, so this no excuse for not adding you guys back then). No idea how to help them, but now that we know the problem we might be able to team up and see if this works out in some way. Jeff, Re comment #12 "I feel this happens a lot, especially after our arch was dropped from the add-arch list for I don't know reason.." Any insight to the above? Alright kids, Would "ppc-macos" be considered an OS or a piece of hardware in bugzilla's eyes? i dont care for flamewars, just tell me which of these two to put it into 1. OS 2. Hardware -Jeff re. comment 17 It's both, unfortunately. I would assume ppc64-macos and x86-macos both potentially exist. However, because we developers lack the hardware (afaik), I would say 'ppc-macos' can be treated as an OS until further notice. hardware = PPC(64) OS = (MAC)OSX These are already there, so no changes there. What we would like is to be in the arch team list, so we can be CC-ed easily. Entry there may be MACOSX, OSX, or PPC-MACOS. If you are concerned about the x86-macos, sparc-macos, ia64-macos future, add us as (MAC)OSX in the archs list & use osx@g.o and we will solve that by that time if that ever gets a problem. If that could be done, people can easily find us again. Thanks in advance. |