Re: Returned post for annou...@apache.org
On Thu, 11 Feb 2021 at 19:24, Nathan Hartman wrote: > On Thu, Feb 11, 2021 at 11:33 AM Daniel Sahlberg > wrote: > > > > *thread reply* > > > > I think everyone should take a deep breath and then we should re-start > the conversation with the purpose of learning and improving because at the > moment it seems that emotions are way to high. > > > > As I see it - and as usual, I'm new to the party so I don't have > historical context: > > > > * Subversion release process dictate to announce first, update website > later. There is a reason for it but we can improve on the process. I've > raised this at dev@ and received positive feedback from stsp. > > * The RM an honest mistake and forgot to update the download page on the > website. He has admitted and apologized. No problem, we all make mistakes, > right? > > * Moderation rejected the announce mail quite harshly. I would agree > that the missing links was reasonable cause to /hold back/ the > announcement, but I think it was done in a way (tone and outright rejection > instead of reaching out "hey, did you forget to update the download page?") > that didn't invite to further communication. (I'm not comenting on the KEYS > file issue, I wasn't around last time and I don't have the time to look up > the policy, but from what I understand this was a minor issue). > > > > As far as I understand everyone in the Subversion project are > volunteers. I don't know about the moderators but I assume they are as > well. We need to treat eachother with respect and try to find the most > efficient way for the community as a whole and not just "looking from the > perspectiv of ". > > > > Kind regards, > > Daniel Sahlberg > > > I agree that there needs to be respect and appreciation for everyone's > volunteer efforts here, and in the spirit of openness and cooperation > I have a suggestion to make: > > Since it seems that "not being spam" isn't enough to make an > announcement, and this is a long standing issue (it goes back farther > than last May), it would be immensely helpful, both for us and for the > moderators, if there were publicly posted rules that clearly outline: > "this is what moderators check; this is the criteria moderators use to > accept or reject an email to this list." This would clearly set > expectations and help to prevent the repeating issues that I'm sure > are frustrating to the list operators, and I know are frustrating for > us. > > I agree that this would be useful. Where would you expect to find such information? And what rules would you expect to see? Remember that the announce@ list is ASF-wide, so emails need to be worded accordingly. Thanks to everyone for your support. > > Nathan >
Re: Returned post for annou...@apache.org
On Thu, 11 Feb 2021 at 12:15, Branko Čibej wrote: > On 11.02.2021 12:23, Stefan Sperling wrote: > > On Thu, Feb 11, 2021 at 11:02:32AM +, Private List Moderation wrote: > > Irrelevant. > > Given that this discussion doesn't seem to be going anywhere and the > same arguments from May 2020 are just being rehashed, I guess we will > simply stop using the announce@ mailing list. > > > I agree. This nitpicking bureaucratic mission creep has gone way over the > top. We have our own announce@svn.a.o list anyway; I expect anyone who's > really interested is subscribed to that. > > I find it kind of ironically funny that the same moderator(s) who feel > they're empowered to enforce release policy don't feel that the normal > escalation path (i.e., bug report to dev@) is worth taking. > > There was a problem with the download page at the time it was checked. This meant that the announce email could not be accepted. The simplest and quickest way for the moderators to report this is to reject the announce email. This ensures that at least the RM gets the notification. Yes, I could have sent a mail to the dev list instead, but that is more work for the moderator. It's not as if I blocked all future announce emails. I merely rejected a single email. Please try to see it from the moderator's point of view. Meh. > > -- Brane >
Re: Returned post for annou...@apache.org
On Thu, 11 Feb 2021 at 12:17, Branko Čibej wrote: > On 11.02.2021 12:02, Private List Moderation wrote: > > On Thu, 11 Feb 2021 at 07:04, Stefan Sperling wrote: > >> On Wed, Feb 10, 2021 at 11:03:39PM -0500, Nathan Hartman wrote: >> > On Wed, Feb 10, 2021 at 7:51 PM Private List Moderation < >> > mod-priv...@gsuite.cloud.apache.org> wrote: >> > > When I checked the download page, there were no links for versions >> 1.10.7 >> > > or 1.14.1. >> > > i.e. the 2 announce mails were telling people to download versions >> that >> > > were not on the download page. >> > > >> > > As such, I felt I had to reject the announce email. >> > > >> > > It looks as though the page has since been updated. >> > > >> > >> > >> > That was a race condition. >> >> Worse, it's a chicken-and-egg problem which is documented here: >> >> http://subversion.apache.org/docs/community-guide/releasing.html#releasing-release >> """ >> NOTE: We announce the release before updating the website since the >> website update links to the release announcement sent to the announce@ >> mailing list. >> """ >> >> > Which is worse for the end user? > - a broken link to the release announcement > - a missing link to the download artifact referenced by the official > announcement > > > You forgot: > - a missing release announcement. > > I'm pretty sure users are capable of telling us about missing links, but > not about missing announcements. > > Of course. But if I had sent an email to the dev list instead of rejecting the announce, the mail would still have been missing. -- Brane > >
Re: Returned post for annou...@apache.org
On Thu, 11 Feb 2021 at 07:04, Stefan Sperling wrote: > On Wed, Feb 10, 2021 at 11:03:39PM -0500, Nathan Hartman wrote: > > On Wed, Feb 10, 2021 at 7:51 PM Private List Moderation < > > mod-priv...@gsuite.cloud.apache.org> wrote: > > > When I checked the download page, there were no links for versions > 1.10.7 > > > or 1.14.1. > > > i.e. the 2 announce mails were telling people to download versions that > > > were not on the download page. > > > > > > As such, I felt I had to reject the announce email. > > > > > > It looks as though the page has since been updated. > > > > > > > > > That was a race condition. > > Worse, it's a chicken-and-egg problem which is documented here: > > http://subversion.apache.org/docs/community-guide/releasing.html#releasing-release > """ > NOTE: We announce the release before updating the website since the > website update links to the release announcement sent to the announce@ > mailing list. > """ > > Which is worse for the end user? - a broken link to the release announcement - a missing link to the download artifact referenced by the official announcement The former could easily be avoided by noting that the announce mail may take a few hours to reach the archives. Notwithstanding that, yes, I did actually forget to update the download > page immediately after posting the announcements. dsahlberg kindly reminded > me of this. It still don't see how this is a reason for blocking a > legitimate > release annoucement. Instead of rejecting the annoucement outright you > could > have mailed us on dev@ with a question like "This looks incomplete. Are > you > sure you want to post this annoucement?". That would have been helpful, but > moderation rejection is not helpful. > > Rejecting an email is not the same as vetoing a release. The moderators have a lot of mails to check. It's easier from our point of view to reject the email intially, and check again when a new email comes in. Otherwise we have to keep track of which emails are pending. It's not exactly difficult for the RM to send a fresh copy of the announce. You would have to send an email to inform the moderators that the issue has been fixed. Not everyone relies on the download pages to find our releases. > At the moment I sent the announcement at least one distribution (Suse Linux) > already had RPMs with the security fix ready to go because we had sent > security > pre-notifications in private about a week earlier. > Irrelevant. Cheers, > Stefan >
Re: Returned post for annou...@apache.org
On Thu, 11 Feb 2021 at 04:03, Nathan Hartman wrote: > On Wed, Feb 10, 2021 at 7:51 PM Private List Moderation < > mod-priv...@gsuite.cloud.apache.org> wrote: > >> On Wed, 10 Feb 2021 at 22:26, Erik Huelsmann wrote: >> >>> How can a link be more important than an announcement for a fix of an >>> *unauthenticated* remote DoS ? >>> >>> >> When I checked the download page, there were no links for versions 1.10.7 >> or 1.14.1. >> i.e. the 2 announce mails were telling people to download versions that >> were not on the download page. >> >> As such, I felt I had to reject the announce email. >> >> It looks as though the page has since been updated. >> > > > That was a race condition. > > As the issue is fixed, would you please allow the message through now? > Once an email has been rejected, it cannot be accepted. Do we need to re-send it? > > As I wrote in both rejection comments, a corrected email needs to be sent. Thank you, > Nathan Hartman > V.P., Subversion > >
Re: Returned post for annou...@apache.org
On Wed, 10 Feb 2021 at 22:26, Erik Huelsmann wrote: > How can a link be more important than an announcement for a fix of an > *unauthenticated* remote DoS ? > > When I checked the download page, there were no links for versions 1.10.7 or 1.14.1. i.e. the 2 announce mails were telling people to download versions that were not on the download page. As such, I felt I had to reject the announce email. It looks as though the page has since been updated. Same for the KEYS file??? > > I never said that was equally important. Don't you think that's way out of proportion? > > Erik. > > On Wed, Feb 10, 2021 at 4:50 PM Private List Moderation > wrote: > > > > I don't see how the missing links can be regarded as trivial. > > This obviously needs to be fixed before the announce can be accepted. > > > > At the same time, I asked for the KEYS file link to be standardised. > > There is already a KEYS file at the standard location - why not link to > that instead? > > > > > > On Wed, 10 Feb 2021 at 15:35, Stefan Sperling wrote: > >> > >> Sebb, blocking our release announcements over trivialities like this > >> really is not a nice thing to do. Last time it happened in May 2020. > >> It was already discussed back then and raised with the announce@ > >> moderation team. > >> > >> The Subversion PMC came to the conclusion that our handling of > >> the KEYS files is adequate for our purposes: > >> https://svn.haxx.se/dev/archive-2020-05/0156.shtml > >> > >> Please raise the issue on our dev@subversion.a.o list if it bothers > you. > >> The moderation mechanism is supposed to prevent spam. Using it to > enforce > >> release workflow policies amounts to misuse of your moderation > privileges. > >> > >> Regards, > >> Stefan > >> > >> On Wed, Feb 10, 2021 at 03:20:41PM -, announce-ow...@apache.org > wrote: > >> > > >> > Hi! This is the ezmlm program. I'm managing the > >> > annou...@apache.org mailing list. > >> > > >> > I'm working for my owner, who can be reached > >> > at announce-ow...@apache.org. > >> > > >> > I'm sorry, your message (enclosed) was not accepted by the moderator. > >> > If the moderator has made any comments, they are shown below. > >> > > >> > >>>>> >>>>> > >> > Sorry, but the announce cannot be accepted. > >> > The linked download page does not contain links for the version in the > >> > email. > >> > > >> > Also, the standard name for the KEYS file is KEYS - no prefix, no > suffix. > >> > Please correct the download page, check it, and submit a corrected > announce > >> > mail. > >> > > >> > Thanks, > >> > Sebb. > >> > <<<<< <<<<< > >> > > >> > >> > Date: Wed, 10 Feb 2021 14:37:00 +0100 > >> > From: Stefan Sperling > >> > To: annou...@subversion.apache.org, us...@subversion.apache.org, > >> > dev@subversion.apache.org, annou...@apache.org > >> > Cc: secur...@apache.org, oss-secur...@lists.openwall.com, > >> > bugt...@securityfocus.com > >> > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released > >> > Message-ID: > >> > Reply-To: us...@subversion.apache.org > >> > Content-Type: text/plain; charset=utf-8 > >> > > >> > I'm happy to announce the release of Apache Subversion 1.10.7. > >> > Please choose the mirror closest to you by visiting: > >> > > >> > https://subversion.apache.org/download.cgi#supported-releases > >> > > >> > This is a stable bugfix and security release of the Apache Subversion > >> > open source version control system. > >> > > >> > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX: > >> > > >> > CVE-2020-17525 > >> > "Remote unauthenticated denial-of-service in Subversion > mod_authz_svn" > >> > > >> > The full security advisory for CVE-2020-17525 is available at: > >> > https://subversion.apache.org/security/CVE-2020-17525-advisory.txt > >> > > >> > A brief summary of this advisory follows: > >> > > >> > Subversion's mod_authz_svn module will crash if the server is using > >> > in-repository authz rules with the AuthzSVNRepos
Re: Returned post for annou...@apache.org
I don't see how the missing links can be regarded as trivial. This obviously needs to be fixed before the announce can be accepted. At the same time, I asked for the KEYS file link to be standardised. There is already a KEYS file at the standard location - why not link to that instead? On Wed, 10 Feb 2021 at 15:35, Stefan Sperling wrote: > Sebb, blocking our release announcements over trivialities like this > really is not a nice thing to do. Last time it happened in May 2020. > It was already discussed back then and raised with the announce@ > moderation team. > > The Subversion PMC came to the conclusion that our handling of > the KEYS files is adequate for our purposes: > https://svn.haxx.se/dev/archive-2020-05/0156.shtml > > Please raise the issue on our dev@subversion.a.o list if it bothers you. > The moderation mechanism is supposed to prevent spam. Using it to enforce > release workflow policies amounts to misuse of your moderation privileges. > > Regards, > Stefan > > On Wed, Feb 10, 2021 at 03:20:41PM -, announce-ow...@apache.org wrote: > > > > Hi! This is the ezmlm program. I'm managing the > > annou...@apache.org mailing list. > > > > I'm working for my owner, who can be reached > > at announce-ow...@apache.org. > > > > I'm sorry, your message (enclosed) was not accepted by the moderator. > > If the moderator has made any comments, they are shown below. > > > > > > > > Sorry, but the announce cannot be accepted. > > The linked download page does not contain links for the version in the > > email. > > > > Also, the standard name for the KEYS file is KEYS - no prefix, no suffix. > > Please correct the download page, check it, and submit a corrected > announce > > mail. > > > > Thanks, > > Sebb. > > < < > > > > > Date: Wed, 10 Feb 2021 14:37:00 +0100 > > From: Stefan Sperling > > To: annou...@subversion.apache.org, us...@subversion.apache.org, > > dev@subversion.apache.org, annou...@apache.org > > Cc: secur...@apache.org, oss-secur...@lists.openwall.com, > > bugt...@securityfocus.com > > Subject: [SECURITY][ANNOUNCE] Apache Subversion 1.10.7 released > > Message-ID: > > Reply-To: us...@subversion.apache.org > > Content-Type: text/plain; charset=utf-8 > > > > I'm happy to announce the release of Apache Subversion 1.10.7. > > Please choose the mirror closest to you by visiting: > > > > https://subversion.apache.org/download.cgi#supported-releases > > > > This is a stable bugfix and security release of the Apache Subversion > > open source version control system. > > > > THIS RELEASE CONTAINS AN IMPORTANT SECURITY FIX: > > > > CVE-2020-17525 > > "Remote unauthenticated denial-of-service in Subversion mod_authz_svn" > > > > The full security advisory for CVE-2020-17525 is available at: > > https://subversion.apache.org/security/CVE-2020-17525-advisory.txt > > > > A brief summary of this advisory follows: > > > > Subversion's mod_authz_svn module will crash if the server is using > > in-repository authz rules with the AuthzSVNReposRelativeAccessFile > > option and a client sends a request for a non-existing repository URL. > > > > This can lead to disruption for users of the service. > > > > We recommend all users to upgrade to the 1.10.7 or 1.14.1 release > > of the Subversion mod_dav_svn server. > > > > As a workaround, the use of in-repository authz rules files with > > the AuthzSVNReposRelativeAccessFile can be avoided by switching > > to an alternative configuration which fetches an authz rules file > > from the server's filesystem, rather than from an SVN repository. > > > > This issue was reported by Thomas Åkesson. > > > > SHA-512 checksums are available at: > > > > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.sha512 > > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.sha512 > > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.sha512 > > > > PGP Signatures are available at: > > > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.bz2.asc > > https://www.apache.org/dist/subversion/subversion-1.10.7.tar.gz.asc > > https://www.apache.org/dist/subversion/subversion-1.10.7.zip.asc > > > > For this release, the following people have provided PGP signatures: > > > >Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint: > > 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973 > >Branko Čibej [4096R/1BCA6586A347943F] with fingerprint: > > BA3C 15B1 337C F0FB 222B D41A 1BCA 6586 A347 943F > >Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint: > > 8AA2 C10E EAAD 44F9 6972 7AEA B59C E6D6 010C 8AAD > > > > These public keys are available at: > > > > https://www.apache.org/dist/subversion/subversion-1.10.7.KEYS > > > > Release notes for the 1.10.x release series may be found at: > > > > https://subversion.apache.org/docs/release-notes/1.10.html > > > > You can find the list of changes
Re: [announce-ow...@apache.org: Returned post for annou...@apache.org]
Hi Subversion folks, Moderation of announce@ is handled by a shared moderation system. Any rejection message is meant to be signed to you can identify who sent it. Please accept my apologies that this didn't happen in this case. Having reviewed the sent mail log it appears that it was sebb who rejected the announcement. I see that Sally's broader announcement on the 1.40.0 release has been moderated through. I don't see the message below on the announce@ list. I'd offer to moderate it through but it will have expired by now. If you want to resend it to announce@ I can moderate it through for you. Kind regards, Mark (markt) On Thu, 28 May 2020 at 18:16, Daniel Shahaf wrote: > Branko Čibej wrote on Thu, 28 May 2020 07:05 +0200: > > Dear announce@ moderators, > > > > Moderation is not an appropriate venue for discussing policy. It is a > > way to prevent spam. If you have something to say, you're welcome to say > > it on dev@subversion.apache.org. You are not responsible for the > > contents of a release. The PMC is. Your anonymous pontification does not > > encourage discussion and collaboration and as such is itself a violation > > of the core principles of the ASF. Community over code, eh? > > > > To clarify: The Subversion PMC strongly considers your points > about the naming of KEYS files and links thereto insufficient grounds > for rejecting its release announcements. Care to respond? > > > -- Brane > > > > > > On 27.05.2020 19:30, Stefan Sperling wrote: > > > Out of the blue, I have received nitpicking of changes I made to the > > > website and the announce message I sent. I've received this feedback > > > via the mailing list moderation mechanism. > > > > > > Can anyone tell me what's going on here? Who even wrote this? > > > > > > FWIW, the announce message was generated by release.py; if there's > > > something wrong with that, we need to fix that script. > > > There's nothing I could do now to correct the announce message > > > itself since it has already been approved (by me). > > > > > > - Forwarded message from announce-ow...@apache.org - > > > > > > Date: 27 May 2020 17:09:19 - > > > From: announce-ow...@apache.org > > > To: s...@apache.org > > > Subject: Returned post for annou...@apache.org > > > Message-ID: <1590599359.7756.ez...@apache.org> > > > Content-Type: multipart/mixed; boundary=lodpbfombmeidpnonnko > > > X-Spam-Score: (-7.5) SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_SPF_WL > > > > > > > > > Hi! This is the ezmlm program. I'm managing the > > > annou...@apache.org mailing list. > > > > > > I'm sorry, your message (enclosed) was not accepted by the moderator. > > > If the moderator has made any comments, they are shown below. > > > > > >> > > > > Sorry, but the announce message and download page are not acceptable. > > > > > > The KEYS file must have the name KEYS, and should be at: > > > https://downloads.apache.org/subversion/KEYS > > > > > > The download page is confusing, as the verification instructions say > to use > > > https://downloads.apache.org/subversion/KEYS, which is fine, > > > however the entries for 1.40.0 have different links for the KEYS files. > > > > > > Please fix the page and submit a corrected email. > > > > > > Thanks. > > > < < > > > > > > > > > Date: Wed, 27 May 2020 17:56:06 +0200 > > > From: Stefan Sperling > > > To: annou...@subversion.apache.org, us...@subversion.apache.org, > > > dev@subversion.apache.org, annou...@apache.org > > > Subject: [ANNOUNCE] Apache Subversion 1.14.0 released > > > Message-ID: <20200527155606.gc45...@ted.stsp.name> > > > Reply-To: us...@subversion.apache.org > > > Content-Type: text/plain; charset=utf-8 > > > > > > I'm happy to announce the release of Apache Subversion 1.14.0. > > > Please choose the mirror closest to you by visiting: > > > > > > https://subversion.apache.org/download.cgi#recommended-release > > > > > > This is a stable feature release of the Apache Subversion open source > > > version control system. > > > > > > SHA-512 checksums are available at: > > > > > > > https://www.apache.org/dist/subversion/subversion-1.14.0.tar.bz2.sha512 > > > > https://www.apache.org/dist/subversion/subversion-1.14.0.tar.gz.sha512 > > > > https://www.apache.org/dist/subversion/subversion-1.14.0.zip.sha512 > > > > > > PGP Signatures are available at: > > > > > > > https://www.apache.org/dist/subversion/subversion-1.14.0.tar.bz2.asc > > > > https://www.apache.org/dist/subversion/subversion-1.14.0.tar.gz.asc > > > https://www.apache.org/dist/subversion/subversion-1.14.0.zip.asc > > > > > > For this release, the following people have provided PGP signatures: > > > > > >Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint: > > > 8BC4 DAE0 C5A4 D65F 4044 0107 4F7D BAA9 9A59 B973 > > >Julian Foad [4096R/1FB064B84EECC493] with fingerprint: > > > 6011 63CF 9D49 9FD7 18CF 582D 1FB0 64B8 4EEC C493 > > >Nathan Hartman (CODE SIGNING KEY)
