Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On Sat, Oct 8, 2011 at 9:41 PM, Markos Chandras wrote: > 1) use bundled zlib and libpng14. Doh this is not a fix. It is barely > a workaround. What if a vulnerability is discovered in the bundled > version of libpng in the next months? Will upstream fix it? Highly > unlikely since they don't seem

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On Sat, Oct 8, 2011 at 9:41 PM, Markos Chandras wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 10/08/11 22:45, Matt Turner wrote: >> On Sat, Oct 8, 2011 at 10:20 AM, Markos Chandras >> wrote: >>> On 10/08/2011 02:19 PM, Matt Turner wrote: On Sat, Oct 8, 2011 at 4:47 AM, Sa

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/08/11 22:45, Matt Turner wrote: > On Sat, Oct 8, 2011 at 10:20 AM, Markos Chandras > wrote: >> On 10/08/2011 02:19 PM, Matt Turner wrote: >>> On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suominen >>> wrote: # Samuli Suominen (08 Oct 2011) #

Re: [gentoo-dev] integrity of stage files

On Sat, Oct 08, 2011 at 05:44:01PM -0700, Alec Warner wrote: > On Sat, Oct 8, 2011 at 5:41 PM, "Paweł Hajdan, Jr." > wrote: > > On 10/8/11 5:01 PM, Robin H. Johnson wrote: > >>> Ah, I just forgot about that page. Okay, so can we also update the > >>> Handbook to include GPG signature checking? > >

Re: [gentoo-dev] integrity of stage files

On Sat, Oct 8, 2011 at 5:41 PM, "Paweł Hajdan, Jr." wrote: > On 10/8/11 5:01 PM, Robin H. Johnson wrote: >>> Ah, I just forgot about that page. Okay, so can we also update the >>> Handbook to include GPG signature checking? >> It DOES already mention checking the signature: >> http://www.gentoo.or

Re: [gentoo-dev] integrity of stage files

On 10/8/11 5:01 PM, Robin H. Johnson wrote: >> Ah, I just forgot about that page. Okay, so can we also update the >> Handbook to include GPG signature checking? > It DOES already mention checking the signature: > http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=2#doc_chap3 That's

Re: [gentoo-dev] integrity of stage files

On Sat, Oct 08, 2011 at 08:21:44PM -0400, Matt Turner wrote: > On Sat, Oct 8, 2011 at 6:43 PM, Robin H. Johnson wrote: > > On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote: > >> I checked > >> > >> and the Ha

Re: [gentoo-dev] integrity of stage files

On Sat, Oct 8, 2011 at 6:43 PM, Robin H. Johnson wrote: > On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote: >> I checked >> >> and the Handbook only mentions validating MD5 checksums. >> >> There are two poss

Re: [gentoo-dev] GCC upgrades, FUD and gentoo documentation

On Sat, Oct 8, 2011 at 6:57 PM, James Cloos wrote: >> "SV" == Sven Vermeulen writes: > > SV> - Since 3.4.0/4.1.0, the C++ ABI is forward-compatible, so rebuilds > SV>   from that version onwards should not be needed > > That is not generally true. > > I use gcc-4.5 as my system gcc, but mostl

Re: [gentoo-dev] integrity of stage files

On Sat, Oct 08, 2011 at 04:39:40PM -0700, "Paweł Hajdan, Jr." wrote: > On 10/8/11 3:43 PM, Robin H. Johnson wrote: > >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we > >> be using something stronger? > > Fixed in Catalyst now. > > http://git.overlays.gentoo.org/gitweb/?p=pr

Re: [gentoo-dev] integrity of stage files

On 10/8/11 3:43 PM, Robin H. Johnson wrote: >> 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we >> be using something stronger? > Fixed in Catalyst now. > http://git.overlays.gentoo.org/gitweb/?p=proj/catalyst.git;a=commit;h=42b4f6608682cf03954918ecce7923330a1656fe > So when t

Re: [gentoo-dev] GCC upgrades, FUD and gentoo documentation

> "SV" == Sven Vermeulen writes: SV> - Since 3.4.0/4.1.0, the C++ ABI is forward-compatible, so rebuilds SV> from that version onwards should not be needed That is not generally true. I use gcc-4.5 as my system gcc, but mostly use 4.6 when building things outside of portage. I still run

Re: [gentoo-dev] integrity of stage files

On Sat, Oct 08, 2011 at 02:45:02PM -0700, "Paweł Hajdan, Jr." wrote: > I checked > > and the Handbook only mentions validating MD5 checksums. > > There are two possible issues: > > 1. Why are we using _only_ MD5 and SHA1 as th

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On Sat, Oct 8, 2011 at 10:20 AM, Markos Chandras wrote: > On 10/08/2011 02:19 PM, Matt Turner wrote: >> On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suominen >> wrote: >>> # Samuli Suominen (08 Oct 2011) # Fails to >>> compile against system libpng15, bug 356127 # Removal in 14 days >> >> 14 days? >>

[gentoo-dev] integrity of stage files

I checked and the Handbook only mentions validating MD5 checksums. There are two possible issues: 1. Why are we using _only_ MD5 and SHA1 as the checksums? Shouldn't we be using something stronger? 2. I noticed the checksums

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On 08-10-2011 18:33:15 +0300, Samuli Suominen wrote: > It's not like fastened lastriting hasn't happened before. I question > your motives in picking this particular one. It's not like I expected > cookies for the time I've put into this porting effort, but not this > "attack" either. If you feel

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On 10/08/2011 06:13 PM, Fabian Groffen wrote: > On 08-10-2011 11:05:08 -0400, Rich Freeman wrote: >> If the extra 16 days will actually accomplish something beyond just >> delaying libpng then we can debate the finer points of policy. >> However, if we're just arguing policy for its own sake then I

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

Guys, the policy makes perfect sense, there are people that sync just monthly, so they might want to get some headsup why their packages are going away, and not just remove them. Thats why the recommended value is 60 days, 30 for urgent cases, lately we just moved to 30 for everything, but please

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On 08-10-2011 11:05:08 -0400, Rich Freeman wrote: > If the extra 16 days will actually accomplish something beyond just > delaying libpng then we can debate the finer points of policy. > However, if we're just arguing policy for its own sake then I don't > see the value. Perhaps a package maintain

[gentoo-dev] Re: GCC upgrades, FUD and gentoo documentation

Il giorno sab, 08/10/2011 alle 11.33 +, Sven Vermeulen ha scritto: > > - The fix_libtool_files.sh command is now part of the toolchain > eclass, so > doesn't need to be ran by users anymore Moreover, that should only be needed for very old installs: libstdc++.la that caused the trouble in

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On Sat, Oct 8, 2011 at 10:20 AM, Markos Chandras wrote: > On 10/08/2011 02:19 PM, Matt Turner wrote: >> 14 days? > We can't really wait forever for slacking maintainers to fix their > packages. amd64 is almost ready to have libpng-1.5 stable in the very > near future > Didn't we just do this thre

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On 08-10-2011 15:49:00 +0100, Markos Chandras wrote: > >> We can't really wait forever for slacking maintainers to fix > >> their packages. amd64 is almost ready to have libpng-1.5 stable > >> in the very near future > > > > http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=5#

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/08/2011 03:28 PM, Fabian Groffen wrote: > On 08-10-2011 15:20:56 +0100, Markos Chandras wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 >> >> On 10/08/2011 02:19 PM, Matt Turner wrote: >>> On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suomi

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On 08-10-2011 15:20:56 +0100, Markos Chandras wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On 10/08/2011 02:19 PM, Matt Turner wrote: > > On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suominen > > wrote: > >> # Samuli Suominen (08 Oct 2011) # Fails to > >> compile against system libpn

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 10/08/2011 02:19 PM, Matt Turner wrote: > On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suominen > wrote: >> # Samuli Suominen (08 Oct 2011) # Fails to >> compile against system libpng15, bug 356127 # Removal in 14 days > > 14 days? > >> media-gfx/pn

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On 10/08/2011 04:19 PM, Matt Turner wrote: > On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suominen wrote: >> # Samuli Suominen (08 Oct 2011) >> # Fails to compile against system libpng15, bug 356127 >> # Removal in 14 days > > 14 days? approx. 14 days and counting to CC archteams in the libpng15 stab

Re: [gentoo-dev] Lastrite: media-gfx/pngcrush

On Sat, Oct 8, 2011 at 4:47 AM, Samuli Suominen wrote: > # Samuli Suominen (08 Oct 2011) > # Fails to compile against system libpng15, bug 356127 > # Removal in 14 days 14 days? > media-gfx/pngcrush

[gentoo-dev] GCC upgrades, FUD and gentoo documentation

Hi guys There is some FUD regarding GCC upgrades and I don't have the proper knowledge to write a correct document on GCC upgrades. As you are currently aware, we have a GCC upgrade guide [1], but it has seen its last update in 2008. Since then, things have undoubtedly changed. What I can find on

[gentoo-dev] Lastrite: media-gfx/pngcrush

# Samuli Suominen (08 Oct 2011) # Fails to compile against system libpng15, bug 356127 # Removal in 14 days media-gfx/pngcrush