[Mageia-dev] Security updates - Help needed (also forgot avidemux and gstreamer0.10-ffmpeg)

Sun Jul 8 13:49:36 CEST 2012

On Fri, 06 Jul 2012, Claire Robinson wrote:

>
> This has nothing to do with being rude.
>
> As I said previously, this is being blown wildly out of proportion. In 
> reality it centres around one packager and two bugs. In both these bugs the 
> packager expected QA to validate updates where one was an xinetd service 
> which expressly stated it was disabled by default but in actual fact was 
> enabled and in the other a mailing list with a web interface which simply 
> couldn't work in it's default configuration.
>
> What it being thrown at us is that we are unreasonably expecting every 
> single little bug to be fixed without any common and need to make drastic 
> changes to our policies.
>
> We attended the packager meeting on Wednesday to respond to this and 
> discuss it. At the meeting it was agreed that we had not changed the way we 
> have been doing things since day one and that the right way forward was to 
> continue doing what we were doing, with both packagers and QA using common 
> sense.

The argument you keep repeating about your opinion being common sense is
insulting for the people who do not have the same opinion. You could at
least admit that other people may have a different point of view,
without saying they don't have common sense.

> The following day the same far fetched accusations are thrown at us again, 
> now escalated to the ML, suggesting we caused a months delay and suggesting 
> a solution to the accusation being we begin to 'rubber stamp' security 
> updates regardless of if they actually work or not or an internet facing 
> service which says it's disabled is actually not so.
>
> In both cases there were simple ways to fix them. In one it was just to 
> alter the description (2 minutes) so it didn't say it was disabled and in 
> the other it was either to add a suggest or alter the default configuration 
> so it didn't require the missing suggest (2 minutes).
>
> We have to use common sense in QA and only ask that, to avoid all this 
> unpleasantness in the future, common sense is used by the packager also. 
> All this is a reaction to 4 minutes of additional work. That is not common 
> sense to me.

Of course if you considere packagers should blindly apply any change
requested without any possible discussion because you decided it's common
sense, it only takes 2 minutes. But conscientious packagers usually try
to understand the problem they are fixing, think about the potential
problems introduced by the change, look at the alternative solutions,
etc ...

Also adding new suggests or changing default configuration should be
avoided in updates. The new suggest will be installed even for people
who already have a working setup. And the configuration file will be
updated for the people who did not need to modify it and don't
necessarily expect this kind of change in an update.

> If we're expected to validate updates in the state these two bugs reached 
> us then we may as well not be here at all.

The goal of updates testing is to find regressions, not to do extensive
testing to find new unrelated bugs. This kind of testing can be useful,
but not as part of updates testing, and preferably on Cauldron.