Re: GnuPG: Maintainer inactive?
Am Mittwoch, den 16.04.2008, 14:19 +0200 schrieb Kai Wasserbäch: > on the 1st of April I wrote an e-mail to James Troup offering my help in > hunting > down open bugs which are no longer present an thus enabling him to concentrate > on packaging GnuPG 1.4.9. But his last action regarding this package is well > over an year old and the only updates I can see in the PTS were made by the > Security Team. And before I forget to write it: I didn't receive an answer. > So my question is: Is James known to be inactive? Are there others currently > on > the task to get a new version (upstream has 1.4.9) into Debian? I tried to get into it after I found, that several issues were fixed. You can find some tagging and commenting by my person at the BTS. But for known reasons (told it on the planet), I'm currently busy and offline. However: We should REALLY give more love to this package. I mean, there is a very active and helpful upstream, but an inactive maintenance which lead to >130 open bug report. I don't think, that upstream will keep up taking care of bug reports in the Debian BTS with this amount of reports. We should try to track down issues and decrease the amount of open bug reports to keep the good relationship to upstream. I hope, you understand, what I want to say. I mean: having such an upstream is a very fortunate situation. > Is there > anything I can help (I'm certainly not suitable as a maintainer for that > package > myself, because it's too essential to be entrusted to someone who is unknown > to > (nearly) all people on this list) with, e.g. by triaging bugs? > > Should this question already have been discussed somewhere, please point me > to it. Here is, what I found out yet after a short look (just a c&p): *** Main: 452118: new upstream release *** Fixed in 1.4.7 and newer: 201589: Removed shutdown code in util/http.c and fix http_proxy (739) 402592: Limit bytes read for an unknown alogorithm 412508, 420613: Build changes to fully evaluate paths 431828: Decrypt multiple files and not just the first *** Maybe fixed 1.4.7 and newer: ... *** Fixed in older releases: 72148: will deadlock with no timeout if keyserver cannot close socket (151) 137381: http_proxy support (361) 146345: gnupg: Can't restrict access to secring.gpg (--enable-selinux-support) *** Maybe fixed in older releases (needs to be verified): 166794, 172823: --search leads to segfault *** Forward candidates: 58260, 317654: remove existing lockfiles *** Wontfix candidates (upstream rejected without final notice or candidate): 310805: gnupg: fully exportable armored homedir is completely impossible now! 162742: gnupg: Please handle "deprecated option honor-http-proxy" *** Close candidate (upstream rejected change): 185782: `--batch --output existingfile' outputs nothing and exits 0 196681: gnupg: gpg says /dev/[EMAIL PROTECTED] isn't a valid email address *** Maybe is addressed (patch exists somehow and somewhere): 262467: 16_min_privileges breaks gpg on kernels without capabilities *** Maybe should be addressed: 130363: gnupg: Duplicate key is handled as error (upstream) 133923: gnupg: Reports bug on --list-keys *** Debian package related (to fix with update): 357267: conditional libcap-dev dependency 399092: debian/gzip.1 manpage 399167: ldap -> recommends 453122: not suid-root > Thank you in advance for your reply(s). HTH (will be back during mid of May and I'm willing to help) Regards, Daniel
Re: GnuPG: Maintainer inactive?
On Wed, Apr 16, 2008 at 09:33:32PM +0200, Lucas Nussbaum wrote: > On 16/04/08 at 17:08 +0200, Francesco P. Lovergine wrote: > > On Wed, Apr 16, 2008 at 04:49:50PM +0200, Christian Perrier wrote: > > > There are rumours about that, yes. Maybe a package hijack could be > > > attempted by someone who's lucky enough to have his|her key in the > > > keyring. > > > > ... and still have it after that upload :-P > > You are probably joking. > Of course yes, isn't that evident? -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG: Maintainer inactive?
On 16/04/08 at 17:08 +0200, Francesco P. Lovergine wrote: > On Wed, Apr 16, 2008 at 04:49:50PM +0200, Christian Perrier wrote: > > There are rumours about that, yes. Maybe a package hijack could be > > attempted by someone who's lucky enough to have his|her key in the > > keyring. > > ... and still have it after that upload :-P You are probably joking. But if a member of a team with some special rights on the Debian infrastructure (ab)used his/her rights to remove a key from the keyring, or to prevent access to Debian resources, for no valid reason or without a proper procedure, I'm sure that many developers would loudly protest and wouldn't let that happen. -- | Lucas Nussbaum | [EMAIL PROTECTED] http://www.lucas-nussbaum.net/ | | jabber: [EMAIL PROTECTED] GPG: 1024D/023B3F4F | -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG: Maintainer inactive?
Michael Banck wrote: > On Wed, Apr 16, 2008 at 02:19:12PM +0200, Kai Wasserbäch wrote: >> on the 1st of April I wrote an e-mail to James Troup offering my help in >> hunting >> down open bugs which are no longer present an thus enabling him to >> concentrate >> on packaging GnuPG 1.4.9. But his last action regarding this package is well >> over an year old and the only updates I can see in the PTS were made by the >> Security Team. And before I forget to write it: I didn't receive an answer. >> So my question is: Is James known to be inactive? Are there others currently >> on >> the task to get a new version (upstream has 1.4.9) into Debian? Is there >> anything I can help (I'm certainly not suitable as a maintainer for that >> package >> myself, because it's too essential to be entrusted to someone who is unknown >> to >> (nearly) all people on this list) with, e.g. by triaging bugs? > > I guess triaging bugs (i.e. marking bugs which have been fixed upstream > in newer versions as "fixed-upstream" or mention bugs which can be > closed already cause they are fixed in the current version in the > appropriate bug (CCing the submitter, so they can possibly close it > themselves) is always welcome, regardless of any other action or > non-action by the maintainer. gnupg is very important and unmaintained for all practical purposes. It should be hijacked and brought into shape for Lenny. Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG: Maintainer inactive?
On Wed, Apr 16, 2008 at 04:49:50PM +0200, Christian Perrier wrote: > > There are rumours about that, yes. Maybe a package hijack could be > attempted by someone who's lucky enough to have his|her key in the > keyring. > ... and still have it after that upload :-P -- Francesco P. Lovergine -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: GnuPG: Maintainer inactive?
Quoting Kai Wasserbäch ([EMAIL PROTECTED]): > Hello, > on the 1st of April I wrote an e-mail to James Troup offering my help in > hunting You shouldn't have done this on 1st of April as you could then have received an answer. > So my question is: Is James known to be inactive? Are there others currently > on There are rumours about that, yes. Maybe a package hijack could be attempted by someone who's lucky enough to have his|her key in the keyring. signature.asc Description: Digital signature
Re: GnuPG: Maintainer inactive?
Hello again, Kai Wasserbäch wrote: > [...] Is there anything I can help (I'm certainly not suitable as a maintainer > for that package myself, because it's too essential to be entrusted to someone > who is unknown to (nearly) all people on this list) with, e.g. by triaging > bugs? I've just seen, that Daniel Leidert is already on it and triages the bugs. If you (Daniel) would like me to help you, just let me know. Otherwise just: thank you. Kind regards, Kai Wasserbäch -- Kai Wasserbäch (Kai Wasserbaech) E-Mail: [EMAIL PROTECTED] Jabber (debianforum.de): Drizzt URL: http://wiki.debianforum.de/Drizzt_Do%27Urden GnuPG: 0xE1DE59D2 0600 96CE F3C8 E733 E5B6 1587 A309 D76C E1DE 59D2 (http://pgpkeys.pca.dfn.de/pks/lookup?search=0xE1DE59D2&fingerprint=on&hash=on&op=vindex) signature.asc Description: OpenPGP digital signature
Re: GnuPG: Maintainer inactive?
On Wed, Apr 16, 2008 at 02:19:12PM +0200, Kai Wasserbäch wrote: > on the 1st of April I wrote an e-mail to James Troup offering my help in > hunting > down open bugs which are no longer present an thus enabling him to concentrate > on packaging GnuPG 1.4.9. But his last action regarding this package is well > over an year old and the only updates I can see in the PTS were made by the > Security Team. And before I forget to write it: I didn't receive an answer. > So my question is: Is James known to be inactive? Are there others currently > on > the task to get a new version (upstream has 1.4.9) into Debian? Is there > anything I can help (I'm certainly not suitable as a maintainer for that > package > myself, because it's too essential to be entrusted to someone who is unknown > to > (nearly) all people on this list) with, e.g. by triaging bugs? I guess triaging bugs (i.e. marking bugs which have been fixed upstream in newer versions as "fixed-upstream" or mention bugs which can be closed already cause they are fixed in the current version in the appropriate bug (CCing the submitter, so they can possibly close it themselves) is always welcome, regardless of any other action or non-action by the maintainer. Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
GnuPG: Maintainer inactive?
Hello, on the 1st of April I wrote an e-mail to James Troup offering my help in hunting down open bugs which are no longer present an thus enabling him to concentrate on packaging GnuPG 1.4.9. But his last action regarding this package is well over an year old and the only updates I can see in the PTS were made by the Security Team. And before I forget to write it: I didn't receive an answer. So my question is: Is James known to be inactive? Are there others currently on the task to get a new version (upstream has 1.4.9) into Debian? Is there anything I can help (I'm certainly not suitable as a maintainer for that package myself, because it's too essential to be entrusted to someone who is unknown to (nearly) all people on this list) with, e.g. by triaging bugs? Should this question already have been discussed somewhere, please point me to it. Thank you in advance for your reply(s). Kind regards, Kai Wasserbäch -- Kai Wasserbäch (Kai Wasserbaech) E-Mail: [EMAIL PROTECTED] Jabber (debianforum.de): Drizzt URL: http://wiki.debianforum.de/Drizzt_Do%27Urden GnuPG: 0xE1DE59D2 0600 96CE F3C8 E733 E5B6 1587 A309 D76C E1DE 59D2 (http://pgpkeys.pca.dfn.de/pks/lookup?search=0xE1DE59D2&fingerprint=on&hash=on&op=vindex) signature.asc Description: OpenPGP digital signature