В Пнд, 16/08/2010 в 18:04 +0000, Alexey Shvetsov (alexxy) пишет:
> alexxy 10/08/16 18:04:52
>
> Modified: ChangeLog
> Added: drupal-5.23.ebuild drupal-6.19.ebuild
> Removed: drupal-6.16.ebuild drupal-6.17.ebuild
> drupal-5.22.ebuild
> Log:
> [www-apps/drupal] Version bump

Always reference bug number and mention people that spent time reporting
problems in our bugzilla. Please, add bug # and attribution into
ChangeLog. Also with version bump it's always good idea to keep previous
version to allow re-installation of previous versions in the case of
regressions.

https://bugs.gentoo.org/show_bug.cgi?id=323399

--
Peter.

On Tue, 17 Aug 2010 10:46:10 +0400, Peter Volkov <pva@gentoo.org> wrote:

> В Пнд, 16/08/2010 в 18:04 +0000, Alexey Shvetsov (alexxy) пишет:
> > alexxy 10/08/16 18:04:52
> >
> > Modified: ChangeLog
> > Added: drupal-5.23.ebuild drupal-6.19.ebuild
> > Removed: drupal-6.16.ebuild drupal-6.17.ebuild
> > drupal-5.22.ebuild
> > Log:
> > [www-apps/drupal] Version bump
>
> Always reference bug number and mention people that spent time
> reporting problems in our bugzilla. Please, add bug # and attribution
> into ChangeLog. Also with version bump it's always good idea to keep
> previous version to allow re-installation of previous versions in the
> case of regressions.
>
> https://bugs.gentoo.org/show_bug.cgi?id=323399
>

That's rather https://bugs.gentoo.org/show_bug.cgi?id=332541

I agree that the bug # should be referenced, but as for removing the
old versions, that's something we usually ask people to do after
bumping packages with security issues to minimize the risk of people
installing possibly vulnerable versions.

--
Alex Legler | Gentoo Security / Ruby
a3li@gentoo.org | a3li@jabber.ccc.de

Ok =)

Next time i'll add bug numbers =) Actualy i simply forgot about them.

2010/8/17 Alex Legler <a3li@gentoo.org>:
> On Tue, 17 Aug 2010 10:46:10 +0400, Peter Volkov <pva@gentoo.org> wrote:
>
>> В Пнд, 16/08/2010 в 18:04 +0000, Alexey Shvetsov (alexxy) пишет:
>> > alexxy Â* Â* Â*10/08/16 18:04:52
>> >
>> > Â* Modified: Â* Â* Â* Â* Â* Â* ChangeLog
>> > Â* Added: Â* Â* Â* Â* Â* Â* Â* Â*drupal-5.23.ebuild drupal-6.19.ebuild
>> > Â* Removed: Â* Â* Â* Â* Â* Â* Â*drupal-6.16.ebuild drupal-6.17.ebuild
>> > Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* Â* drupal-5.22.ebuild
>> > Â* Log:
>> > Â* [www-apps/drupal] Version bump
>>
>> Always reference bug number and mention people that spent time
>> reporting problems in our bugzilla. Please, add bug # and attribution
>> into ChangeLog. Also with version bump it's always good idea to keep
>> previous version to allow re-installation of previous versions in the
>> case of regressions.
>>
>> https://bugs.gentoo.org/show_bug.cgi?id=323399
>>
>
> That's rather https://bugs.gentoo.org/show_bug.cgi?id=332541
>
> I agree that the bug # should be referenced, but as for removing the
> old versions, that's something we usually ask people to do after
> bumping packages with security issues to minimize the risk of people
> installing possibly vulnerable versions.
>
> --
> Alex Legler | Gentoo Security / Ruby
> a3li@gentoo.org | a3li@jabber.ccc.de
>



--
Best Regards,
Alexey 'Alexxy' Shvetsov
Petersburg Nuclear Physics Institute, Russia
Department of Molecular and Radiation Biophysics
Gentoo Team Ru
Gentoo Linux Dev
mailto:alexxyum@gmail.com
mailto:alexxy@gentoo.org
mailto:alexxy@omrb.pnpi.spb.ru

В Втр, 17/08/2010 в 11:27 +0200, Alex Legler пишет:
> but as for removing the old versions, that's something we usually ask
> people to do after bumping packages with security issues to minimize
> the risk of people installing possibly vulnerable versions.

I agree with removal but not immediately. Personally I already had
issues with another web application: it worked in my installation, but
people were unable to use it after security fix. Since having vulnerable
but working installation is better then "fixed" but broken, I'd rather
always kept old versions for some time. Also it's not a big problem to
have old versions in the tree since you have to specify version number
explicitly to install them...

--
Peter.

On Tue, 17 Aug 2010 16:11:42 +0400, Peter Volkov <pva@gentoo.org> wrote:

> В Втр, 17/08/2010 в 11:27 +0200, Alex Legler пишет:
> > but as for removing the old versions, that's something we usually
> > ask people to do after bumping packages with security issues to
> > minimize the risk of people installing possibly vulnerable versions.
>
> I agree with removal but not immediately. Personally I already had
> issues with another web application: it worked in my installation, but
> people were unable to use it after security fix.

In that case: Reopen the bug and inform us. Besides, you should only
get issues when dealing with ~arch ebuilds as they're not tested. But
that's what you get for using testing. *shrug*

> Since having
> vulnerable but working installation is better then "fixed" but
> broken,

No offense, but that's just naive.

> I'd rather always kept old versions for some time.

Use a local overlay then.

> Also it's
> not a big problem to have old versions in the tree since you have to
> specify version number explicitly to install them...
>

You obviously haven't been in our support venues and seen what some
people are able to do...

--
Alex Legler | Gentoo Security / Ruby
a3li@gentoo.org | a3li@jabber.ccc.de