-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
After FC3 final has been released several updates have been pushed out to the mirrors and yet again we haven't seen any announcement for some of them. Some announcements for FC2 and even FC1 are still missing too:
FC1: gaim-0.77-2.FC1 gaim-0.80-1.FC1 gaim-0.81-1.FC1 postfix-2.0.16-1 recode-3.6-12.0
FC2: devhelp-0.9.1-0.2.2 epiphany-1.2.7-0.2.0 epiphany-1.2.7-0.2.2 fam-2.6.10-9.FC2 gaim-0.77-7 gaim-0.80-1.FC2 gaim-0.81-1.FC2 gaim-1.0.2-0.FC2 gnome-session-2.6.0-4 kernel-2.6.9-1.3_FC2 libxml-1.8.17-10.1.2 man-1.5o1-6 mozilla-1.7.2-0.2.0 mozilla-1.7.3-0.2.0 nfs-utils-1.0.6-22 ruby-1.8.1-5 slang-1.4.9-12 xinitrc-3.41-1 xorg-x11-6.7.0-9
FC3: aspell-bg-0.50-7 bash-3.0-18 brltty-3.2-6 cvs-1.11.17-4 firefox-1.0-2.fc3 gamin-0.0.17-1.FC3 iptables-1.2.11-3.1.FC3 kernel-2.6.9-1.678_FC3 kernel-2.6.9-1.681_FC3 libselinux-1.19.1-3 libxml-1.8.17-12 man-1.5o1-7 man-pages-pl-0.23-4 policycoreutils-1.18.1-2 postfix-2.1.5-2.3.FC3 rhgb-0.15.1-1.FC3 shadow-utils-4.0.3-38 shadow-utils-4.0.3-40 slang-1.4.9-7 slang-1.4.9-13 udev-039-10.FC3.2 words-3.0-2
Besides this there were twice two announcements that had the same id:
FEDORA-2004-378: kdelibs-3.3.1-2.2 for FC3 kdegraphics-3.3.1-2.1 for FC3
FEDORA-2004-407: libxml2-2.6.16-3 for FC3 libxml2-2.6.16-2 for FC2
Best regards.
- -- Dipl.-Ing. (FH) Bernd Bartmann Bernd.Bartmann@sohanet.de I.S. Security and Network Engineer SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin Fon: +49 30 214783-44 / Fax: +49 30 214783-46
On Mon, 22 Nov 2004 23:14:54 +0100, Bernd Bartmann wrote:
After FC3 final has been released several updates have been pushed out to the mirrors and yet again we haven't seen any announcement for some of them. Some announcements for FC2 and even FC1 are still missing too:
as this list points out, this is a continuing process problem. The only garunteed engineered solution to prevent this from happening is to make filing an annoucement text a blocking requirement for submitting an package as an update. But that will require a level of automation and red-tape that I don't think anyone inside the fenceline really wants to or has time to implement.
It's my understanding that the primary reason these annoucements aren't making it out the door is that individual maintainers are simply forgetting to create an annoucement text and submit it to the annouce list.
As a compromise, i would like to suggest that a autobug filer script be created that would file a bugreport against a component if an update goes unannouced for 3+ days in an effort to make the individual package maintainer aware of the problem in a timely fashion. While the summary reports to the public lists are somewhat useful.... finding a way to poke the individual package maintainers more directly seems to be needed. All the information needed should be available from the master mirror.. maybe just parsing the repository metadata would be enough.
And I realize the existance of security issues greatly complicates when and how information is released. I'm trying to come up with discreet solution that makes sure annoucements don't fall through the cracks and are completely forgotten.
thoughts? is a script designed to automate filing missing update announcement bugs a realistic and useful way forward?
-jef
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff Spaleta wrote: | On Mon, 22 Nov 2004 23:14:54 +0100, Bernd Bartmann wrote: | |>After FC3 final has been released several updates have been pushed out |>to the mirrors and yet again we haven't seen any announcement for some |>of them. Some announcements for FC2 and even FC1 are still missing too: | | | as this list points out, this is a continuing process problem. The | only garunteed engineered solution to prevent this from happening is | to make filing an annoucement text a blocking requirement for | submitting an package as an update. But that will require a level of | automation and red-tape that I don't think anyone inside the fenceline | really wants to or has time to implement. | | It's my understanding that the primary reason these annoucements | aren't making it out the door is that individual maintainers are | simply forgetting to create an annoucement text and submit it to the | annouce list. | | As a compromise, i would like to suggest that a autobug filer script | be created that would file a bugreport against a component if an | update goes unannouced for 3+ days in an effort to make the | individual package maintainer aware of the problem in a timely | fashion. While the summary reports to the public lists are somewhat | useful.... finding a way to poke the individual package maintainers | more directly seems to be needed. All the information needed should | be available from the master mirror.. maybe just parsing the | repository metadata | would be enough. | | And I realize the existance of security issues greatly complicates | when and how information is released. I'm trying to come up with | discreet solution that makes sure annoucements don't fall through the | cracks and are completely forgotten. | | thoughts? is a script designed to automate filing missing update | announcement bugs a realistic and useful way forward?
As such script doesn't seem to exist yet what do think of just opening something like the tracker bug for FC3 where we add all the missing update announcements. This means adding a separate bug to each package without update announcement and using this as an blocker for the tracker bug. If this looks ok to you I can volunteer and add these bugs.
Also I think there should be a central instance (person) that sends out all update announcement. Another thing that I already suggested over a year ago is that all announcements should be GPG signed using a global Fedora or Red Hat key.
Best regards.
- -- Dipl.-Ing. (FH) Bernd Bartmann Bernd.Bartmann@sohanet.de I.S. Security and Network Engineer SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin Fon: +49 30 214783-44 / Fax: +49 30 214783-46
On Mon, 29 Nov 2004 12:43:15 +0100, Bernd Bartmann bernd.bartmann@sohanet.de wrote:
As such script doesn't seem to exist yet what do think of just opening something like the tracker bug for FC3 where we add all the missing update announcements. This means adding a separate bug to each package without update announcement and using this as an blocker for the tracker bug. If this looks ok to you I can volunteer and add these bugs.
Getting individual bug reports against each component is the goal... but security issues makes the use of a tracking bug tricky. There will be circumstances that will require bugs to be marked as private. Having a tracking bug for missing annoucements could very well mean the tracking bug itself will have to be marked private....defeating the point of the trackiing bug. Individual bug reports to components, aren't as tricky... the package maintainer can mark individual reports as private if need be without impacting other components.
Also I think there should be a central instance (person) that sends out all update announcement. Another thing that I already suggested over a year ago is that all announcements should be GPG signed using a global Fedora or Red Hat key.
This requires automation in the build process and how maintainers interact with the build system and how you define a build master individual or automated signing. I think there has been great reluctance to work on this part of the build system until after Fedora Extras officially launches.. in order to prevent having to redo this again once contributor updates start flowing. I'm pretty sure other people recognize something along these lines has to be done.. but the focus has been on getting the build system opened up for non Red Hat contributors. Once this happens... I hope internal efforts can be refocused on identifying several rougher aspects of the red hat and contributor build process including annoucement generation that need some automation love.
I personally see the only garunteed solution for annoucements is to demand annoucement text be in the system when a package maintain submits a build to be an update. And such an annoucement requirement will have to be flexible enough to take into account security embargos so that an annoucement text can be requested to show up on a certain date...after the package is in the update tree if need be. This is the only way to prevent packagers from forgetting about annoucement text generation. Right now, its not so tough to find a red hat employee to beat up on another red hat employee if you have access to any red hat people on a daily basis. But in the future... for fedora extras.. its going to be much harder to get access to far flung contributors who are using the same build process as Core maintainers. And i think people realize the problem exists and I hope they realize it will get worse once contributors can start spinning up packages into extras from the same build system. But any real process solution, is going to have to fit inside the details of the contributor build process.. which isn't finalized. Its just one of those situations where the problem is obvious, and the potential solution space is very wide.. but all specific constraints aren't in place yet to build a workable implementation that fits the larger process.
-jef
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff Spaleta wrote: | On Mon, 29 Nov 2004 12:43:15 +0100, Bernd Bartmann | bernd.bartmann@sohanet.de wrote: | |>As such script doesn't seem to exist yet what do think of just opening |>something like the tracker bug for FC3 where we add all the missing |>update announcements. This means adding a separate bug to each package |>without update announcement and using this as an blocker for the tracker |>bug. If this looks ok to you I can volunteer and add these bugs. | | | Getting individual bug reports against each component is the goal... | but security issues | makes the use of a tracking bug tricky. There will be circumstances | that will require bugs to be marked as private. Having a tracking bug | for missing annoucements could very well mean the tracking bug itself | will have to be marked private....defeating the point of the trackiing | bug. Individual bug reports to components, aren't as tricky... the | package maintainer can mark individual reports as private if need be | without impacting other components. | | |>Also I think there should be a central instance (person) that sends out |>all update announcement. Another thing that I already suggested over a |>year ago is that all announcements should be GPG signed using a global |>Fedora or Red Hat key. | | | This requires automation in the build process and how maintainers | interact with the build system and how you define a build master | individual or automated signing. I think there has been great | reluctance to work on this part of the build system until after Fedora | Extras officially launches.. in order to prevent having to redo this | again once contributor updates start flowing. I'm pretty sure other | people recognize something along these lines has to be done.. but the | focus has been on getting the build system opened up for non Red Hat | contributors. Once this happens... I hope internal efforts can be | refocused on identifying several rougher aspects of the red hat and | contributor build process including annoucement generation that need | some automation love. | | I personally see the only garunteed solution for annoucements is to | demand annoucement text be in the system when a package maintain | submits a build to be an update. And such an annoucement requirement | will have to be flexible enough to take into account security embargos | so that an annoucement text can be requested to show up on a certain | date...after the package is in the update tree if need be. This is | the only way to prevent packagers from forgetting about annoucement | text generation. Right now, its not so tough to find a red hat | employee to beat up on another red hat employee if you have access to | any red hat people on a daily basis. But in the future... for fedora | extras.. its going to be much harder to get access to far flung | contributors who are using the same build process as Core maintainers. | And i think people realize the problem exists and I hope they realize | it will get worse once contributors can start spinning up packages | into extras from the same build system. But any real process solution, | is going to have to fit inside the details of the contributor build | process.. which isn't finalized. Its just one of those situations | where the problem is obvious, and the potential solution space is | very wide.. but all specific constraints aren't in place yet to build | a workable implementation that fits the larger process.
Jeff, this is all nice and your broader view for future things to come is good too, but right now I only care about all the updates that were already released and haven't seen any announcement yet.
Best regards.
- -- Dipl.-Ing. (FH) Bernd Bartmann Bernd.Bartmann@sohanet.de I.S. Security and Network Engineer SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin Fon: +49 30 214783-44 / Fax: +49 30 214783-46
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bernd Bartmann wrote: | Jeff, this is all nice and your broader view for future things to come | is good too, but right now I only care about all the updates that were | already released and haven't seen any announcement yet.
To get the ball rolling I've just entered bug reports for all missing announcements that were on my list. To get an overview I've also created tracker bugs for each FC release:
FC1 bug #141259 FC2 bug #141258 FC3 bug #141256
Let's hope this is useful and wakes up some of the package maintainers. At least some of them are already answering to the bugs.
Best regards.
- -- Dipl.-Ing. (FH) Bernd Bartmann Bernd.Bartmann@sohanet.de I.S. Security and Network Engineer SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin Fon: +49 30 214783-44 / Fax: +49 30 214783-46
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Bernd Bartmann wrote: | To get the ball rolling I've just entered bug reports for all missing | announcements that were on my list. To get an overview I've also created | tracker bugs for each FC release: | | FC1 bug #141259 | FC2 bug #141258 | FC3 bug #141256 | | Let's hope this is useful and wakes up some of the package maintainers. | At least some of them are already answering to the bugs.
Update:
We got a lot of the missing announcements out this week, but some are still not there and I even had to add some new to the list.
For the future I plan to open a new bug for a missing annoucement two days after the rpms have appeared on the download mirrors.
Best regards.
- -- Dipl.-Ing. (FH) Bernd Bartmann Bernd.Bartmann@sohanet.de I.S. Security and Network Engineer SoHaNet Technology GmbH / Kaiserin-Augusta-Allee 10-11 / 10553 Berlin Fon: +49 30 214783-44 / Fax: +49 30 214783-46