[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#689147: unblock: gajim/0.15.1-1

Hi,

Yann Leboulanger wrote (27 Dec 2012 22:02:54 GMT) :
> On 12/27/2012 10:48 PM, intrigeri wrote:
>> I'm absolutely not sure what is the best thing to do now:
>>
>>   1. unblock the embedded python-gnupg copy to the "current copy of
>>      Wheezy's python-gnupg + small change that supposedly improves
>>      things": take the risk to see a regression in gajim due to changes
>>      brought by the library update;

> Have you seen the diff?

I haven't: it's quite big, and most big changes have some potential
for regression during freeze time. I'm not saying the probability is
high, I'm just stating that a risk does exist, so that the release
team can take it into account when they make a decision.

> I don't see what security issue it could cause.

I did not mention anything related to security in the #1 option.

(And even if I had, guess what: people generally don't see what
security issue they introduce, at the time they do. Sorry for
the nitpicking ;)

> But without it, Gajim can traceback, that is a fact.

I'm sorry I missed this important piece of information.

Where was I supposed to learn about it? (Not a rhetorical question,
I've genuinely searched, and failed to find it in the unblock
request -related set of messages. I guess it might be #670243 that is
related to GnuPG support, but it's unclear to me if that one was fixed
by the modifications made to the embedded pythong-gnupg copy, or by
the upgrade thereof.)

>> Note that, even if this unblock is granted, gajim remains RC-buggy in
>> Wheezy and unstable due to the #693048 security issue.

> [...] So do what you want, remove Gajim from Debian because of this
> security issue if you want.

I think the worst that can happen as a result from this security issue
is certainly not removing Gajim from Debian altogether: it's not
shipping Gajim in Wheezy, if no package deemed suitable for release is
ready on time. I would find it pretty sad, but stable backports are
here to fill the hole in such situations.

> Just note that it's now 3 monthes that debian testing users cannot
> use video in Gajim because 0.15.1 is still blocked.

I'm sorry about that. Please note the fix to this specific bug was
ACK'd by a Release Team member mid-October, so it could have been
pretty smoothly fixed in Wheezy, had it not been bundled with a bunch
of other changes that were less easy to decide upon, by requiring
additional information or other changes from your side.

I'm sorry the Release Team is overwhelmed with unblock requests, so
their delays in replying to this bug report were quite long sometimes:
every back'n'forth round-trip then takes time, so the best way to
ensure such an unblock request is treated quickly is to only include
changes that are evidently freeze-compliant, and document them very
well at unblock request time, when this not done in debian/changelog
yet. I hope it may help next time! :)

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
Reply to: