Hi Thomas, hi release team! On 28.09.2010 16:00, Thomas Müller wrote: > > Am Do, 23.09.2010, 21:39, schrieb Adam D. Barratt: >> On Thu, 2010-09-23 at 20:37 +0200, Thomas Mueller wrote: >>> I'd like to ask you for a freeze exception of quassel 0.7.1. >>> The current version of quassel in testing is 0.6.1-2. >>> This version has a security hole as documented in [1] and in this bug >>> report >>> as well [2]. >>> >>> To fix this issue I could upload 0.6.3, >> >> Or 0.6.1-3 containing just the security fix. (Jumping to 0.6.3 assumes >> that all of the changes in 0.6.2 are okay; I haven't checked each of >> them, but there appear to be a couple of dozen of them). >> > > preparing a 0.6.1-3 seems odd to me, because is contains already 12 > known bugs, which have been fixed in 0.6.2. > Are we interested in deliver buggy software to our users? i'm not! > I've taken a brief look at 0.6.3 and 0.7.1 and the fix for the CCTP issue. The raw numbers are: $ diff -urN quassel-0.6.1 quassel-0.7.1 | filterdiff -x "*/po/*" | diffstat 141 files changed, 5386 insertions(+), 1082 deletions(-) $ diff -urN quassel-0.6.1 quassel-0.6.3 | filterdiff -x "*/po/*" | diffstat 45 files changed, 552 insertions(+), 309 deletions(-) $ git show a4ca56 | diffstat ctcphandler.cpp | 71 ++++++++++++++++++++++++++++++++++++-------------------- ctcphandler.h | 12 +++++---- 2 files changed, 53 insertions(+), 30 deletions(-) So, the changes between 0.6.1 and 0.7.1 are significantly. For the changes between 0.6.1 and 0.6.3 I skimmed through the git log, and the changes look all reasonable and are targetted bug fix commits. Besides, I've test-built 0.6.3 and gave the client some basic testing. Looked all fine so far. My recommendation would be to get 0.6.3 into squeeze. >> 0.7.0 appears to have been tagged upstream a little over a week ago; >> that's a bit soon to be declaring 0.6 "outdated", isn't it? >> > > well, a user interesting in quassel will most likely look of a 0.7.x > version. in every other distro 0.7.x will be/has been delivered. > > that's why i call it outdated. Software will always be outdated. The question is, is 0.6.x maintainable or not. And I think it is. Upstream has a 0.6 branch where targetted bug fixes are committed. To me that doesn't look like upstream has abandoned maintenance of 0.6.x. >>> Package for 0.7.1 has been uploaded unstable on September 21st. >> >> It would have been appreciated if you'd sent this mail _before_ doing >> that (or uploaded to experimental in the meantime). >> > Next time I'll contact the release team in advance. > Upload to experimental feels odd for me - upstream has officially released > 0.7 - this is not experimental - right? Thomas, the reason why Adam asked you to upload to experimental, is not so much about the software in question being unstable or buggy, but due to how testing migration works, especially in times of freezes. Packages in experimental do not interfere with testing migration, so it is safe to upload new *major* upstream releases during freeze there. Getting 0.6.3 into squeeze, when 0.7.1 has already been uploaded to unstable is now only possible a/ via testing-proposed-updates. This has the negative side-effect, that the package does not get it's usual 10 days of testing. b/ upload 0.6.3 to unstable, either using an epoch or a version number like 0.7.1reallyis0.6.3. Both approaches are rather ugly. I hope, you understand now a bit better, why during freeze it is better to upload new major releases to experimental. With all that said, uploading 0.6.3 to t-p-u looks rather safe to me, but I know the RT is maybe a bit more conservative. The changes in 0.7.1 are indeed substantial and *do* have regression potential which is not really wanted at this stage of the freeze. Please give Thomas clear instructions, so he can proceed and the CVE closed. Thanks, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
Attachment:
signature.asc
Description: OpenPGP digital signature