[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Freeze exception quassel 0.7.1-1

Hi Thomas, hi release team!

On 28.09.2010 16:00, Thomas Müller wrote:
> Am Do, 23.09.2010, 21:39, schrieb Adam D. Barratt:
>> On Thu, 2010-09-23 at 20:37 +0200, Thomas Mueller wrote:
>>> I'd like to ask you for a freeze exception of quassel 0.7.1.
>>> The current version of quassel in testing is 0.6.1-2.
>>> This version has a security hole as documented in [1] and in this bug
>>> report
>>> as well [2].
>>> To fix this issue I could upload 0.6.3,
>> Or 0.6.1-3 containing just the security fix.  (Jumping to 0.6.3 assumes
>> that all of the changes in 0.6.2 are okay; I haven't checked each of
>> them, but there appear to be a couple of dozen of them).
> preparing a 0.6.1-3 seems odd to me, because is contains already 12
> known bugs, which have been fixed in 0.6.2.
> Are we interested in deliver buggy software to our users? i'm not!

I've taken a brief look at 0.6.3 and 0.7.1 and the fix for the CCTP issue.

The raw numbers are:

$ diff -urN quassel-0.6.1 quassel-0.7.1 | filterdiff -x "*/po/*" | diffstat
 141 files changed, 5386 insertions(+), 1082 deletions(-)

$ diff -urN quassel-0.6.1 quassel-0.6.3 | filterdiff -x "*/po/*" | diffstat
 45 files changed, 552 insertions(+), 309 deletions(-)

$ git show a4ca56 | diffstat
 ctcphandler.cpp |   71 ++++++++++++++++++++++++++++++++++++--------------------
 ctcphandler.h   |   12 +++++----
 2 files changed, 53 insertions(+), 30 deletions(-)

So, the changes between 0.6.1 and 0.7.1 are significantly.
For the changes between 0.6.1 and 0.6.3 I skimmed through the git log, and the
changes look all reasonable and are targetted bug fix commits.

Besides, I've test-built 0.6.3 and gave the client some basic testing. Looked
all fine so far.

My recommendation would be to get 0.6.3 into squeeze.

>> 0.7.0 appears to have been tagged upstream a little over a week ago;
>> that's a bit soon to be declaring 0.6 "outdated", isn't it?
> well, a user interesting in quassel will most likely look of a 0.7.x
> version. in every other distro 0.7.x will be/has been delivered.
> that's why i call it outdated.

Software will always be outdated. The question is, is 0.6.x maintainable or not.
And I think it is. Upstream has a 0.6 branch where targetted bug fixes are
committed. To me that doesn't look like upstream has abandoned maintenance of 0.6.x.

>>> Package for 0.7.1 has been uploaded unstable on September 21st.
>> It would have been appreciated if you'd sent this mail _before_ doing
>> that (or uploaded to experimental in the meantime).
> Next time I'll contact the release team in advance.
> Upload to experimental feels odd for me - upstream has officially released
> 0.7 - this is not experimental - right?

Thomas, the reason why Adam asked you to upload to experimental, is not so much
about the software in question being unstable or buggy, but due to how testing
migration works, especially in times of freezes.

Packages in experimental do not interfere with testing migration, so it is safe
to upload new *major* upstream releases during freeze there.

Getting 0.6.3 into squeeze, when 0.7.1 has already been uploaded to unstable is
now only possible
a/ via testing-proposed-updates. This has the negative side-effect, that the
package does not get it's usual 10 days of testing.
b/ upload 0.6.3 to unstable, either using an epoch or a version number like
0.7.1reallyis0.6.3. Both approaches are rather ugly.

I hope, you understand now a bit better, why during freeze it is better to
upload new major releases to experimental.

With all that said,
uploading 0.6.3 to t-p-u looks rather safe to me, but I know the RT is maybe a
bit more conservative. The changes in 0.7.1 are indeed substantial and *do* have
regression potential which is not really wanted at this stage of the freeze.

Please give Thomas clear instructions, so he can proceed and the CVE closed.


Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: