Unresponsive maintainer Jef Spaleta - Unpushed security update for 91 days

10-05-2012, 10:42 PM

On Sat, 6 Oct 2012 00:32:50 +0200
Till Maas <opensource@till.name> wrote:

> Hi,
>
> I noticed that the revelation security update was not pushed to
> stable. It is now 91 days old, which makes me suspect that Jef is
> somehow hindered to take care of it:
> https://admin.fedoraproject.org/updates/FEDORA-2012-10269/revelation-0.4.14-1.fc17
> https://admin.fedoraproject.org/updates/FEDORA-2012-10314/revelation-0.4.14-1.fc16

> I remember he was very eager to push it in a timely manner. I already
> wrote an e-mail to revelation-owner at 21 August. Can someone with the
> appropriate permissions please push the updates to stable?

Done.

> It might also be a good idea to look after his 18 other packages:
> https://admin.fedoraproject.org/pkgdb/users/packages/jspaleta?acls=owner

Please see:

http://lists.fedoraproject.org/pipermail/devel/2012-August/170690.html

and the vacation page, where he noted he would be out of contact:

http://fedoraproject.org/wiki/Vacation

kevin
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 10:57 PM

On Fri, Oct 5, 2012 at 2:32 PM, Till Maas <opensource@till.name> wrote:
> I noticed that the revelation security update was not pushed to stable.
> It is now 91 days old, which makes me suspect that Jef is somehow
> hindered to take care of it:

Here's the problem with that update.... it breaks existing revelation
setups for people because of the gconf schema change.

Upstream has seen it happen in upstream bug reports.

You have to nuke the gconf settings manually.

If I could find a way to avoid it from happening I'd have pushed this
update well ahead of my travel to the ass end of the pacific ocean.

As it stands I'm taking myself off the vacation list as of this
evening. But it doesn't change anything. The problem with the gconf
munching is still there.
I still don't have a solution for it. And noone else I've asked seems
to have one either.

WTF is going on with the gconf stuff that is preventing the schema
change from gracefully taking affect?
What do I need to change in the packaging to get it working so that
the most you have to do is logout and log back into your desktop
again?

-jef
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 11:01 PM

On Fri, Oct 5, 2012 at 2:57 PM, Jeff Spaleta <jspaleta@fedoraproject.org> wrote:
> Here's the problem with that update.... it breaks existing revelation
> setups for people because of the gconf schema change.

I'll add that the additional wrinkle is that once you move to the new
version, it updates the encryption on your database...which is
great..but then you can't downgrade back to a version that works with
the gconf settings already in your user space. So for unsuspecting
users they end up with a revelation with strong encryption but with
egregiously broken ui.. you can search... you cant generate new
passwords..its all borked.,..until you nuke the gconf settings
manually.

So the fact that you can't downgrade to the old version because of the
encryption change... i'm not keen on pushing this until someone has a
fix for the gconf stuff.

-jef
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 11:06 PM

Ugh. Shall I unpush those from going stable then until this is figured?

Sorry about that...

kevin
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 11:12 PM

On Fri, Oct 05, 2012 at 02:57:02PM -0800, Jeff Spaleta wrote:
> On Fri, Oct 5, 2012 at 2:32 PM, Till Maas <opensource@till.name> wrote:
> > I noticed that the revelation security update was not pushed to stable.
> > It is now 91 days old, which makes me suspect that Jef is somehow
> > hindered to take care of it:
>
> Here's the problem with that update.... it breaks existing revelation
> setups for people because of the gconf schema change.

I believe this was only the case with earlier updates. At least I did
not notice the problem with the current update and there was no negative
karma to the F17 update during 91 days saying otherwise.

> As it stands I'm taking myself off the vacation list as of this
> evening. But it doesn't change anything. The problem with the gconf

Sorry for the noise, I thought had checked the vacation page earlier.

Regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 11:20 PM

On Fri, Oct 5, 2012 at 3:06 PM, Kevin Fenzi <kevin@scrye.com> wrote:
> Ugh. Shall I unpush those from going stable then until this is figured?
>
> Sorry about that...

I am a firm believer in the Pottery Barn rule. You break it you buy it.
If you feel this is important enough of a security fix to break ui
then push it as an update, as long as you take point on unwinding the
ui damage.

F18 will have it out of the box regardless.

The other thing to note is that for anyone who uses the revelation key
file across multiple systems, once you upgrade to this version your
other system with the older revelation can't open the file any more.
An additional wrinkle I don't think anyone has considered. People
trying to use revelation out of the box for F18 and then using that
file on another linux distribution is going to be for a big surprise.
See any other desktop oriented distros moving to the new version in
their latest or upcoming releases? Revelation upstream was
effectively dead for so long, I doubt many people have noticed it was
forked and given a new upstream hope... or even noticed the encryption
weakness when it was announced.

-jef
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 11:24 PM

On Fri, 5 Oct 2012 15:20:16 -0800
Jef Spaleta <jspaleta@gmail.com> wrote:

> On Fri, Oct 5, 2012 at 3:06 PM, Kevin Fenzi <kevin@scrye.com> wrote:
> > Ugh. Shall I unpush those from going stable then until this is
> > figured?
> >
> > Sorry about that...
>
> I am a firm believer in the Pottery Barn rule. You break it you buy
> it. If you feel this is important enough of a security fix to break ui
> then push it as an update, as long as you take point on unwinding the
> ui damage.

Well, I don't use it, I just wanted to provide the security update.

If you don't think it's worth pushing as a maintainer due to the
breakage, I can move it back to testing.

> F18 will have it out of the box regardless.

yeah.

> The other thing to note is that for anyone who uses the revelation key
> file across multiple systems, once you upgrade to this version your
> other system with the older revelation can't open the file any more.
> An additional wrinkle I don't think anyone has considered. People
> trying to use revelation out of the box for F18 and then using that
> file on another linux distribution is going to be for a big surprise.
> See any other desktop oriented distros moving to the new version in
> their latest or upcoming releases? Revelation upstream was
> effectively dead for so long, I doubt many people have noticed it was
> forked and given a new upstream hope... or even noticed the encryption
> weakness when it was announced.

Fun.

kevin
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-05-2012, 11:43 PM

On Fri, 2012-10-05 at 14:57 -0800, Jeff Spaleta wrote:
> On Fri, Oct 5, 2012 at 2:32 PM, Till Maas <opensource@till.name> wrote:

25 minutes for an 'unresponsive maintainer' to respond, that has to be
some sort of project record. =)
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

10-06-2012, 02:58 PM

On Sat, 2012-10-06 at 01:12 +0200, Till Maas wrote:
> I believe this was only the case with earlier updates. At least I did
> not notice the problem with the current update and there was no negative
> karma to the F17 update during 91 days saying otherwise.

I was the the one who gave bad karma to the F16 update, because it
didn't upgrade the gconf settings properly.
This is not some earlier version of the update, but the same version
that has been submitted to stable.

In my opinion, we should weight the impact of the security issue (see:
http://lists.fedoraproject.org/pipermail/devel/2012-June/168616.html)
against manual intervention the user has to do to get Revelation usable
again (manually deleting the ~/.gconf/schemas/apps/revelation folder).

Therefore, I'm against pushing the update to stable.

Regards,
Tadej

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel