On Fri, Mar 18, 2011 at 10:26 AM, Stefan Sperling <s...@elego.de> wrote: > On Fri, Mar 18, 2011 at 10:13:00AM -0400, Nico Kadel-Garcia wrote: >> On Fri, Mar 18, 2011 at 10:07 AM, Stefan Sperling <s...@elego.de> wrote: >> > On Thu, Mar 17, 2011 at 11:33:41PM -0400, Nico Kadel-Garcia wrote: >> >> The 1.6.16 has some minor build-structure changes that have broken the >> >> SRPM's. I'm wondering if it's even worth pursuing, for environments >> >> that don't rely on HTTP/HTTPS authentication, especially because I'm >> >> such a long-standing deprecator of that approach. (This is because the >> >> Linux and UNIX clients store the passwords for HTTP/HTTPS access in >> >> clear text.) >> > >> > That's not a good reason to neglect a security update. There are folks who >> > need the update. Not that you're obliged to provide one -- you're doing >> > voluntary work, afterall. But I'd expect that a package maintainer to >> > keep the entire userbase in mind. Not just those running particular setups. >> > It's not as if a Subversion HTTP/HTTPS setup was an unsupported use case. >> >> You've a point, but enabling people to repeat the errors of >> mishandling stored passwords is not that high on my priority list. > > Fair enough. > > I will stop recommending RPMforge packages until more responsible > maintainers show up.
Oh, my. Let's not get *into* the reponsibility, shall we? Rechecking my test environment, 1.6.16 builds well enough on RHEL 5/CentOS 5 with just the version change. RHEL 6 is a *disaster*, partly due swig integration. (RHEL 6 finally has a recent enough swig and sqlite not to need the separate tarballs, but that code needs graceful management.) The internal ".spec" structure in http://svn.apache.org/repos/asf/subversion/trunk/packages/rpm/ is also *very* dangerous. It replaces the user's own .rpmmacros, without warning and without making a backup. This is hideous behavior. I'll send along some patches for that ASAP. >> And the creeping changes to the build structure are making it more awkward >> to maintain. If 1.7.0 is coming out soon, I'm not clear it's worthy my >> efforts to even bother with this minor release. > > 1.7.0 isn't coming out soon. >
