Bug#841294: Overrule maitainer of "global" to package a new upstream version

[Ron <ron@debian.org>]

On Fri, Dec 09, 2016 at 11:58:02AM +0100, Didier 'OdyX' Raboud wrote:
> Le vendredi, 9 décembre 2016, 04.55:20 h CET Ron a écrit :
> > > If you haven't yet, I urge you to use our standard interface to report
> > > such
> > > bugs; please make sure issues like this one are public on our bugtracker,
> > > with correct found/notfound version markers.
> > 
> > Do you really want entries in the tracker for buggy code that was never
> > in Debian, because I nacked Punit uploading things he didn't understand
> > with a vague promise to maybe look at them later?
> 
> That code is now in Debian (experimental), so yes, I do expect you to act in 
> good faith and report bugs you see. You are obviously quite versed in how 
> 'global' works, and that's undoubtedly valuable to produce the best possible 
> 'global' package.

No, the code in experimental has that 'fixed', by commenting it out and
inviting the user to uncomment it themselves.

The context for this, was that was the code which was proposed to be
uploaded, and which was last discussed, at the time this was brought
to the ctte.  It never was uploaded to any suite, just published in
collab-maint, and I think Punit provided packages somewhere else.

The code in experimental does have some eye raising things in it, but
nothing that I've yet traced through as being definitely exploitable.
But I also haven't given it a serious audit yet, just eyeballed it
quickly for obvious things.

> > Now we're talking about what to do among a wider group of people, given
> > that it still looks like nothing material will change.  The system works?
> 
> It doesn't: it shouldn't take 3 stable releases to get a new upstream release 
> for a leaf package.

There's a difference between blindly uploading a new upstream and
actually having a solution to the problem which is the reason that
it wasn't.

I made that reason very clear, and invited proposed solutions in
the original 'new upstream' bug, #574947.  Nobody else, except
Taisuke and I ever made any effort to deal with that.

Taisuke and I both considered the secure use of htags to be an
important use case.  But given the time that has gone by, and the
fact that the upstream code in what is currently in experimental
has completely eliminated any possible use from a secure system
location now, and how doxygen's seach facility has improved in
the last couple of years - my opinion has likewise changed in line
with that changed circumstance.

But it's taken all of "3 stable releases" for that to actually
change ...  this wasn't all the case at the time of the freeze
for Jessie, or before.


I still think it would be rude to burn the remaining users on
such short notice - but I don't think we should delay doing that
any longer than the end of the Stretch freeze.  And if there is
sufficient consensus to say "burn them immediately", I've already
said I'm ok with that too.  But I would want there to be a consensus
of people who'd have my back about doing that.  Else we just have
the same situation as we do now, where people abuse me for not doing
exactly what _they_ would have preferred.


> > That report led to both me and the reporter having a (very) long
> > discussion with upstream about how to resolve the real problem that
> > you keep assuming we never tried to do anything about.
> 
> By "(very) long discussion", do you mean these 8 mails ?
> 
> 	http://lists.gnu.org/archive/html/bug-global/2010-08/threads.html#00006

No.  That was one thread of many.  But aside from what's also in
the BTS, and on -devel (or was it -project?), the vast majority
were private emails, and span many years of trying to move this
forward one way or another.