[gentoo-dev] [warning] the bug queue has 89 bugs

Our bug queue has 89 bugs! If you have some spare time, please help assign/sort a few bugs. To view the bug queue, click here: http://bit.ly/m8PQS5 Thanks!

[gentoo-dev] News item for review: python-exec package move

Please review the following news item. I would prefer committing it as soon as I get an ACK from all the relevant parties since the issue is hitting users pretty hard. Title: python-exec package move Author: Michał Górny Content-Type: text/plain Posted: 2013-xx-xx Revision: 1 News-Item-Format: 1

[gentoo-dev] Policy-level discussion for minimum versions on dependencies

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi all... Mozilla had a bug recently ( http://bugs.gentoo.org/show_bug.cgi?id=489838 ) that I think has much wider implications for all packages, and I would like to discuss how to best address this. The synopsis of the situation is that the latest

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On 7 November 2013 04:15, Ian Stakenvicius wrote: > > The bug that was filed, is that a user didn't do a full emerge -uDN > @world prior to emerging (upgrading?) firefox, and they had icu-49 > already installed. Because the firefox dep didn't have a minimum > version, portage didn't see upgradin

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/11/13 10:26 AM, Kent Fredric wrote: > > On 7 November 2013 04:15, Ian Stakenvicius > wrote: > > > The bug that was filed, is that a user didn't do a full emerge > -uDN @world prior to emerging (upgrading?) firefox, a

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On Wed, 2013-11-06 at 10:15 -0500, Ian Stakenvicius wrote: > However, it's been a long-standing general practise that if there are > no deps in the tree older than what is necessary for a package, that > package doesn't need to have a minimum version on the dependency atom. > As such, issues simil

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On 11/6/13 7:15 AM, Ian Stakenvicius wrote: > The synopsis of the situation is that the latest firefox ebuild now > depends on icu, specifically icu-50.1 or above. When this version of > firefox was added to the tree, the lowest version of icu in the tree > was icu-51.0 -- in fact, icu-48 through

Re: [gentoo-dev] [warning] the bug queue has 89 bugs

On Wed, 6 Nov 2013 14:00:02 +0200 (EET) Alex Alexander wrote: > Our bug queue has 89 bugs! > > If you have some spare time, please help assign/sort a few bugs. > > To view the bug queue, click here: http://bit.ly/m8PQS5 Is this notice automated? Feel free to ping us (b-w) as well or instead.

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On 06/11/2013 17:26, Kent Fredric wrote: > > On 7 November 2013 04:15, Ian Stakenvicius > wrote: > > > The bug that was filed, is that a user didn't do a full emerge -uDN > @world prior to emerging (upgrading?) firefox, and they had icu-49 > already installed

Re: [gentoo-dev] [warning] the bug queue has 89 bugs

On Wed, Nov 6, 2013 at 6:08 PM, Tom Wijsman wrote: > On Wed, 6 Nov 2013 14:00:02 +0200 (EET) > Alex Alexander wrote: > > > Our bug queue has 89 bugs! > > > > If you have some spare time, please help assign/sort a few bugs. > > > > To view the bug queue, click here: http://bit.ly/m8PQS5 > > Is t

Re: [gentoo-dev] News item for review: python-exec package move

On Wed, 6 Nov 2013 16:12:47 +0100 Michał Górny wrote: > Please note that if you applied any kind of package-specific ^ have applied > If you applied keywords to dev-python/python-exec in order to unmask ^ have applied > Python 3.3 on a stable system, ple

Re: [gentoo-dev] News item for review: python-exec package move

On Wed, Nov 6, 2013 at 4:12 PM, Michał Górny wrote: > Please review the following news item. I would prefer committing it > as soon as I get an ACK from all the relevant parties since the issue > is hitting users pretty hard. LGTM. I have two questions that should not block this news item from g

Re: [gentoo-dev] News item for review: python-exec package move

Dnia 2013-11-06, o godz. 18:14:57 Dirkjan Ochtman napisał(a): > On Wed, Nov 6, 2013 at 4:12 PM, Michał Górny wrote: > > Please review the following news item. I would prefer committing it > > as soon as I get an ACK from all the relevant parties since the issue > > is hitting users pretty hard.

Re: [gentoo-dev] News item for review: python-exec package move

Update 1: - applied comments from TomWij, - changed the wording to reflect that 'emerge @world' may not work, - shortened the wiki URI, - added contact info in case of more issues. Title: python-exec package move Author: Michał Górny Content-Type: text/plain Posted: 2013-11-07 Revision: 1 News-It

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On Wed, 06 Nov 2013 16:48:54 +0100 Alexis Ballier wrote: > On Wed, 2013-11-06 at 10:15 -0500, Ian Stakenvicius wrote: > > However, it's been a long-standing general practise that if there > > are no deps in the tree older than what is necessary for a package, > > that package doesn't need to have

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/11/13 12:56 PM, yac wrote: > On Wed, 06 Nov 2013 16:48:54 +0100 Alexis Ballier > wrote: > >> On Wed, 2013-11-06 at 10:15 -0500, Ian Stakenvicius wrote: >>> However, it's been a long-standing general practise that if >>> there are no deps in t

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On Wed, Nov 6, 2013 at 1:04 PM, Ian Stakenvicius wrote: > On 06/11/13 12:56 PM, yac wrote: >> On Wed, 06 Nov 2013 16:48:54 +0100 Alexis Ballier >> wrote: >> >>> On Wed, 2013-11-06 at 10:15 -0500, Ian Stakenvicius wrote: However, it's been a long-standing general practise that if there a

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On Wed, Nov 6, 2013 at 11:15 AM, Alan McKinnon wrote: > I agree with this sentiment. It's always been my view that the needs of > a package are driven by the package itself, not by the tree. > > Rationale: A package will build and run as long as it's own requirements > are met regardless of what t

Re: [gentoo-dev] Policy-level discussion for minimum versions on dependencies

On Wed, 6 Nov 2013 13:22:13 -0500 Mike Gilbert wrote: > On Wed, Nov 6, 2013 at 1:04 PM, Ian Stakenvicius > wrote: > > On 06/11/13 12:56 PM, yac wrote: > >> On Wed, 06 Nov 2013 16:48:54 +0100 Alexis Ballier > >> wrote: > >> > >>> On Wed, 2013-11-06 at 10:15 -0500, Ian Stakenvicius wrote: >

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

Hi, Michael Orlitzky wrote: > You should disable OCSP anyway. In Firefox, it's under, > > Edit -> Preferences -> Advanced -> Encryption -> Validation > > The OCSP protocol is itself is vulnerable to MITM attacks, which is cute > when you consider its purpose. > > Moreover, it sends the addres

Re: [gentoo-dev] News item for review: python-exec package move

El mié, 06-11-2013 a las 18:20 +0100, Michał Górny escribió: > Dnia 2013-11-06, o godz. 18:14:57 > Dirkjan Ochtman napisał(a): > > > On Wed, Nov 6, 2013 at 4:12 PM, Michał Górny wrote: > > > Please review the following news item. I would prefer committing it > > > as soon as I get an ACK from al

Re: [gentoo-dev] News item for review: python-exec package move

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 06/11/13 02:56 PM, Pacho Ramos wrote: > El mié, 06-11-2013 a las 18:20 +0100, Michał Górny escribió: >> Dnia 2013-11-06, o godz. 18:14:57 Dirkjan Ochtman >> napisał(a): >> >>> On Wed, Nov 6, 2013 at 4:12 PM, Michał Górny >>> wrote: Please

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

On Wed, Nov 06, 2013 at 08:11:52PM +0100, Thomas D. wrote: > Hi, > > Michael Orlitzky wrote: > > You should disable OCSP anyway. In Firefox, it's under, > > > > Edit -> Preferences -> Advanced -> Encryption -> Validation > > > > The OCSP protocol is itself is vulnerable to MITM attacks, which

[gentoo-dev] Re: Policy-level discussion for minimum versions on dependencies

Rich Freeman posted on Wed, 06 Nov 2013 13:28:13 -0500 as excerpted: > I think giving the resolver as much information as possible will only > tend to reduce issues, especially in a distro like Gentoo where doing > things differently is the norm. ++ to both you and Alan McK's thoughts. Meanwhile

[gentoo-dev] Re: friendly reminder wrt net virtual in init scripts

Thomas D. posted on Wed, 06 Nov 2013 20:11:52 +0100 as excerpted: > Michael Orlitzky wrote: >> You should disable OCSP anyway. In Firefox, it's under, >> >> Edit -> Preferences -> Advanced -> Encryption -> Validation >> >> The OCSP protocol is itself is vulnerable to MITM attacks, which is >>

[gentoo-dev] OCSP Was: friendly reminder wrt net virtual in init scripts

mingdao posted on Wed, 06 Nov 2013 14:13:34 -0600 as excerpted: > Thanks for the detailed explanation, Thomas. > > Now, if any one of us turned off OCSP as Michael suggested, what should > one do after turning it back on? Could there now be certificates trusted > there which should not be? AFAIK

[gentoo-dev] Suggestion: support the Dev team with system resources

Hello gentoo-dev@, Starting with a little intro, I'm currently providing a Gentoo VM to a gentoo dev (Agostino Sarubbo (ago)) for the purpose of testing/stabilizing/keywording packages, which is part of his task as a developer and being part of the AT team. I've been running the VM for him for a c

Re: [gentoo-dev] Suggestion: support the Dev team with system resources

Am Donnerstag, 7. November 2013, 00:18:19 schrieb Denis M.: > Hello gentoo-dev@, > > Starting with a little intro, I'm currently providing a Gentoo VM to a > gentoo dev (Agostino Sarubbo (ago)) for the purpose of > testing/stabilizing/keywording packages, which is part of his task as a > developer

Re: [gentoo-dev] Suggestion: support the Dev team with system resources

On 11/07/2013 12:37 AM, Andreas K. Huettel wrote: > Am Donnerstag, 7. November 2013, 00:18:19 schrieb Denis M.: >> Hello gentoo-dev@, >> >> Starting with a little intro, I'm currently providing a Gentoo VM to a >> gentoo dev (Agostino Sarubbo (ago)) for the purpose of >> testing/stabilizing/keyword

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

Hi, mingdao wrote: > Now, if any one of us turned off OCSP as Michael suggested, what should one do > after turning it back on? Could there now be certificates trusted there which > should not be? Well, only your current browser session can be affected. For Firefox: History -> Clear Recent His

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/06/2013 02:11 PM, Thomas D. wrote: > > This is going OT but I cannot leave this statement uncommented, > because from my knowledge this is wrong/you are hiding important > information everyone should know about: I figure everyone here is smart

Re: [gentoo-dev] OCSP Was: friendly reminder wrt net virtual in init scripts

Hi, Duncan wrote: > Meanwhile, another question for Thomas. Is this "certificate stapling" > the same thing google chrome is now doing for the google site, that > enabled it to detect the (I think it was) Iranian and/or Chinese CA > tampering, allowing them to say a "google" cert was valid tha

Re: [gentoo-dev] OCSP was: friendly reminder wrt net virtual in init scripts

On 06/11/13 08:00 PM, Michael Orlitzky wrote: > On 11/06/2013 02:11 PM, Thomas D. wrote: > >> This is going OT but I cannot leave this statement uncommented, >> because from my knowledge this is wrong/you are hiding important >> information everyone should know about: > > I figure everyone here i

Re: [gentoo-dev] friendly reminder wrt net virtual in init scripts

Hi, Michael Orlitzky wrote: >> If you are aware about any other know attacks, please share. > > Replay attacks, mentioned in the RFC (or Google). These could be > mitigated, but no one has bothered. The OCSP response is signed. The signature contains a time stamp. If your clock is right, replay

Re: [gentoo-dev] OCSP was: friendly reminder wrt net virtual in init scripts

On Wed, Nov 6, 2013 at 7:36 PM, Alex Xu wrote: > On 06/11/13 08:00 PM, Michael Orlitzky wrote: >> On 11/06/2013 02:11 PM, Thomas D. wrote: >> >>> This is going OT but I cannot leave this statement uncommented, >>> because from my knowledge this is wrong/you are hiding important >>> information eve