Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 943539

Summary: net-p2p/qbittorrent-5.0.1 stabilisation
Product: Gentoo Linux Reporter: Andreas Sturmlechner <asturm>
Component: StabilizationAssignee: Eli Schwartz <eschwartz>
Status: RESOLVED FIXED    
Severity: normal CC: eschwartz, fkobi
Priority: Normal Keywords: CC-ARCHES, SECURITY
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
net-p2p/qbittorrent-5.0.1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 942569    

Description Andreas Sturmlechner gentoo-dev 2024-11-15 09:14:23 UTC 
Ready?
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-11-15 09:16:11 UTC 
Note that per the discussion in the bug, it's not really a security stabilisation.
Comment 2 Filip Kobierski 2024-11-15 10:13:47 UTC 
I have been using 5.0,1 for over two weeks and I think it's stable enough.

However, as Sam noticed, this is not a security matter and it has been
two weeks since 5.0.1 was introduced to the tree and I see no reason to hasten
the stabilization.

I think patching 4.6.7 is way more important as that is the stable and vulnerable package.
Comment 3 Andreas Sturmlechner gentoo-dev 2024-11-15 12:17:37 UTC 
I'm really confused now. Either there is a security bug, or there is none?

Note that patching 4.6.7 would equally require revbumping and re-stabilisation, so in cases where a stable enough newer version already exists, we usually prefer just going with that instead, even before a 30 day threshold.
Comment 4 Eli Schwartz gentoo-dev 2024-11-19 00:30:21 UTC 
The package has a genuine security vulnerability but only on macOS (and Windows) which means Gentoo Prefix.

It is not a matter for Gentoo Security as the security team treats Prefix usage as out of scope. No GLSA, and it's not clear there is a benefit to stabilization either.

But it's been over half the usual 30-day period for stabilization, the package update seems to be working well, no issues have been reported, and I'd feel comfortable stabilizing if the policy didn't say "30 days". Moreover, it can sometimes be easier to tell people "we package version 5.0.1" than "in our configuration the issue cannot be encountered so even though it's a vulnerable version it's not a vulnerable install". So maybe stabilizing early is fine anyway?

I don't have strong feelings about what to do here. Feedback welcome.
Comment 5 Andreas Sturmlechner gentoo-dev 2024-11-20 17:24:12 UTC 
Looking at the not so big changelog over 5.0.0 (which had been in ::gentoo since Oct 1st) may help with a decision as well:

https://github.com/qbittorrent/qBittorrent/blob/release-5.0.1/Changelog
Comment 6 Andreas Sturmlechner gentoo-dev 2024-12-11 21:56:34 UTC 
So what now? Rather move to 5.0.2 already?
Comment 7 Eli Schwartz gentoo-dev 2024-12-11 23:15:54 UTC 
5.0.1:

> slot(0) no change in 40 days for unstable keywords: [ ~amd64, ~x86 ]

Let's do it.
Comment 8 Eli Schwartz gentoo-dev 2024-12-11 23:16:10 UTC 
How did that box get checked???
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2024-12-12 03:46:34 UTC 
amd64 done
Comment 10 Arthur Zamarin archtester Gentoo Infrastructure gentoo-dev Security 2024-12-12 07:07:19 UTC 
x86 done

all arches done