Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On Thu, Oct 11, 2018 at 4:38 PM Sergei Trofimovich wrote: > > On Thu, 11 Oct 2018 17:10:10 +0200 > Thomas Deutschmann wrote: > > > Let me quote > > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6f6bb91b7f134a121ef9fa1dd504b9ca52c5aa8: > > > > > net-dns/dnssec-root: Blind stable on arm, critical bug 667774 > > > > > > Note that this is a major fail for a stable architecture. > > > In addition, all arm devboxes are currently offline. > > > > > > Bug: https://bugs.gentoo.org/667774 > > > Signed-off-by: Andreas K. Hüttel > > > Package-Manager: Portage-2.3.49, Repoman-2.3.11 > > > > ...and now let's all sit down and enjoy how stable ARM users lose access > > to the Internet and have to figure out how to deactivate DNSSEC to get > > back online. ;] > > > > Maybe it is time to destabilize ARM on Gentoo to stop the impression > > that we really support ARM. > > [ CC: arm@ ] > > A few points to think about: > > 1. I have read this as a direct statement that ARM is not maintained. >I don't think it is a fair (or constructive) assessment of team's work >on ARM front. It's maintained, but in my experience it's often the last architecture to handle a bug. Often by a wide margin. Take a look at the shapes these graphs: https://www.akhuettel.de/gentoo-bugs/arches.php maekke and zlogene do a lot of arm stabilizations, but I'm sure it's too much work for two people alone, especially if all the arm devboxes are offline (WTF?).
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On 2018-10-12 01:38, Sergei Trofimovich wrote: >> Maybe it is time to destabilize ARM on Gentoo to stop the impression >> that we really support ARM. > > [ CC: arm@ ] > > A few points to think about: > > 1. I have read this as a direct statement that ARM is not maintained. >I don't think it is a fair (or constructive) assessment of team's work >on ARM front. See the ARM bug queue for stable requests. ARM is always last and behind since we dropped HPPA. > 2. The bug was created less than a week ago and was not communicated >explicitly as urgent on #gentoo-arm. I see failure to handle the bug >as a communication failure and not a team's death signal. > >Were there any attempts to reach out to the teams or just arm users? Bug was assigned highest priority in bugzilla. But it looks like ARM arch team is ignoring set priority. *I* didn't asked in #gentoo-arm but I pinged project several times in #gentoo-dev channel. > 3. I do not believe arm boxes (or most of users' boxes) update @world weekly >and restart unbound automatically. Deadline of a few days is not feasible >to propagate to users quickly. There is frequently no order-of-days > response >from arch teams. It would be nice to have but it's not realistic (IMO). > > [...] > > 6. If this package is so important it needs to be stable months before keys > expire. >Then users would have a chance to get the update during casual update. Or >net-dns/unbound DNSSEC functionality should not be marked stable anywhere >if package requires periodic manual intervention to just keep working. Disclaimer: I am not the maintainer of unbound nor dnssec-root package. I took action last week after I noticed that there was a time bomb ticking and nobody cared. I fully agree that an updated dnssec-root package could have been made available one year ago giving everyone enough time... > 4. net-dns/dnssec-root is used by a single(ish) package in tree: > net-dns/unbound > >Which is: not a system package, not a default package, not suggested by > handbook >package, can operate without DNSSEC enabled. Unbound is a popular resolver and many Gentoo users are operating ARM-based routers. I don't get your point. Of course you could disable DNSSEC and DNS will resume working. But is this really your point? >While annoying it's not going to lock users out or corrupt their data. Right, it doesn't cause data corruption. But when your Gentoo-based router will stop working this can be a problem. Don't forget about remote systems. Again, people who know how to deal with problems like that aren't the problem. But why do we care about stable packages if we assume that everyone knows what to do when experiencing problems? > 5. net-dns/dnssec-root is a plain-text file package. It should have been > ALLARCHES >stablewithout involvement of arm@. It wasn't about dnssec-root package. Of course this could have been stabilized under ALLARCHES policy. It wasn't because package has a new dependency (>=dev-perl/XML-XPath-1.420.0 + deps) which was lacking stable keywords, too. If ARM can keep up I am quiet. But please, be honest. We don't need another HPPA. Nobody will win something if we tell world "ARM is a first class citizen in Gentoo" when it isn't (anymore). But if people would know it is ~ARCH, we would not disappoint expectations. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On Thu, 11 Oct 2018 17:10:10 +0200 Thomas Deutschmann wrote: > Let me quote > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6f6bb91b7f134a121ef9fa1dd504b9ca52c5aa8: > > > net-dns/dnssec-root: Blind stable on arm, critical bug 667774 > > > > Note that this is a major fail for a stable architecture. > > In addition, all arm devboxes are currently offline. > > > > Bug: https://bugs.gentoo.org/667774 > > Signed-off-by: Andreas K. Hüttel > > Package-Manager: Portage-2.3.49, Repoman-2.3.11 > > ...and now let's all sit down and enjoy how stable ARM users lose access > to the Internet and have to figure out how to deactivate DNSSEC to get > back online. ;] > > Maybe it is time to destabilize ARM on Gentoo to stop the impression > that we really support ARM. [ CC: arm@ ] A few points to think about: 1. I have read this as a direct statement that ARM is not maintained. I don't think it is a fair (or constructive) assessment of team's work on ARM front. 2. The bug was created less than a week ago and was not communicated explicitly as urgent on #gentoo-arm. I see failure to handle the bug as a communication failure and not a team's death signal. Were there any attempts to reach out to the teams or just arm users? 3. I do not believe arm boxes (or most of users' boxes) update @world weekly and restart unbound automatically. Deadline of a few days is not feasible to propagate to users quickly. There is frequently no order-of-days response from arch teams. It would be nice to have but it's not realistic (IMO). 4. net-dns/dnssec-root is used by a single(ish) package in tree: net-dns/unbound Which is: not a system package, not a default package, not suggested by handbook package, can operate without DNSSEC enabled. While annoying it's not going to lock users out or corrupt their data. I don't think state of this package is characteristic of ARM support in Gentoo. 5. net-dns/dnssec-root is a plain-text file package. It should have been ALLARCHES stablewithout involvement of arm@. 6. If this package is so important it needs to be stable months before keys expire. Then users would have a chance to get the update during casual update. Or net-dns/unbound DNSSEC functionality should not be marked stable anywhere if package requires periodic manual intervention to just keep working. -- Sergei
Re: [gentoo-dev] Packages up for grabs: app-misc/gramps, dev-libs/granite, media-gfx/sane-frontends, media-gfx/yafaray, net-dialup/freeradius, sys-apps/miller
> +1 for media-gfx/yafaray > if there are no objections or anyone else is up for it. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEKbqdX3+q71mbfP1xLiRqTnFapoMFAlu7OCEACgkQLiRqTnFa poNFsw//biiEGzWLCUZLsdk1hm2zWrvPlCH877La1bLV/xuqFGs/y4X3Nv4CLX4g 5NWzgWdC1cLDD9hRbY+MM5U1GQjDX1E4rC5c12sA23n4cn0STM97LL4ofYZasBGV 2vIAhkJe+KwFuGhpprjGBqZAbizB2q5ymfNfNUycJxcyadt2Uq52iEheOBNpAIXB apout3xQlZG+7QRsiqbpOY+UoTPPZJPUNs24YCbBXHUg+8qNnNhvjrleFleWOtOl U814TOZQSebgUt6IOdVZm3M1tjZSVIgSHvGsWf70zDqLHQW6h5rgp3C6Ie59J9L8 5hPptR01Fu3SiYOQSW1gj1NRZkFZljjWLMGdI21ZA8cQbyqKKo51YLnPETevV17r OzAE03na0wMxUdXyZMbh5ZykyH9HaSBKSG4Cpbx1ukq2421w8DHgbuW0yN7xyRDY 3KGtBhYPF3P78vhOQONVsCLGq3JWNIHoDWJYaZ9h2Cj1i5RZBN3VoDmMwZq5omdL Dpbe7y2L2kZRI3qKeg9jQggyjtokyt/usNTAICLDRqWd+Zrqj9HHcgGvKJumGj9m 5JIJeKGl0JwrtvpUHPBh/W27Aium60NylXKxL0biWLHkOLEXVklxEYsdE5s7IZgy E6ZHEpA55qC64JLkRWh3P+jN4qaLED+QUF856L3+wmhNePMrmSo= =+sCv -END PGP SIGNATURE-
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On October 11, 2018 19:05:43 Thomas Deutschmann wrote: On 2018-10-11 17:45, Corentin “Nado” Pazdera wrote: What's a "blind stable"? I'm guessing stabilizing without testing? If yes, why? Yes, stabilized without testing. Reason: No ARM arch team member with access to an ARM box was available for the last ~7 days. However, this update is critical for anyone using something like net-dns/unbound with DNSSEC validation enabled (which isn't enabled by default but you are encourage to switch this on). And for unbound the time was over 30 days ago. Note that the new key will only be accepted by unbound if it has seen it for at least 30 days. -Marc -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On 2018-10-11 17:48, Alec Warner wrote: > This thread is missing a bunch of context...so I'll try to add it I guess. All you need to know in this commit message, included linked bug report for more details. :) > I can't tell if the complaint is that: > > 1) Someone blind-stabled something on arm and it broke (doesn't build?) > 2) The arm team failed to mark a package stable before a hard deadline > (DNSSEC key rotation) > > I presume its the latter? Whats the impact? All DNS, or only DNSSEC > validated entries? It's the latter. It will affect anyone running an own DNS resolver like net-dns/unbound on ARM with DNSSEC enabled (not default) using keys provided by net-dns/dnssec-root package. Of course anyone familiar with DNSSEC or unbound maybe knows how to workaround: - Enable auto-anchor update; However it is too late to do that know, it will take ~30 days until the new learned key will become trusted. Same applies to any *new* setup within last 30 days. - Use unbound-anchor tool to force a manual immediate update. - Disable DNSSEC validation. But that's not the point here. The point was to get some attention that again we have a lacking architecture (net-dns/dnssec-root is not the only package where ARM arch team is lacking behind) which affects anyone "trusting" somehow in STABLE keywords. If everyone is using ~ARCH and don't care about STABLE keywords, well, we could save a bunch of time, energy... -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On Thu, Oct 11, 2018 at 1:05 PM Thomas Deutschmann wrote: > On 2018-10-11 17:45, Corentin “Nado” Pazdera wrote: > > What's a "blind stable"? I'm guessing stabilizing without testing? If > > yes, why? > > Yes, stabilized without testing. > > Reason: No ARM arch team member with access to an ARM box was available > for the last ~7 days. > > However, this update is critical for anyone using something like > net-dns/unbound with DNSSEC validation enabled (which isn't enabled by > default but you are encourage to switch this on). > I think the narrative around this being a major issue is tougher when its not broken by default. This doesn't meant its a great outcome, but I'm not convinced its sufficient to downgrade the arch. I'm also curious why you are airing this here rather than talking to the arm team directly. -A > > > -- > Regards, > Thomas Deutschmann / Gentoo Linux Developer > C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 > >
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On 2018-10-11 17:45, Corentin “Nado” Pazdera wrote: > What's a "blind stable"? I'm guessing stabilizing without testing? If > yes, why? Yes, stabilized without testing. Reason: No ARM arch team member with access to an ARM box was available for the last ~7 days. However, this update is critical for anyone using something like net-dns/unbound with DNSSEC validation enabled (which isn't enabled by default but you are encourage to switch this on). -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
On Thu, Oct 11, 2018 at 11:10 AM Thomas Deutschmann wrote: > Let me quote > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6f6bb91b7f134a121ef9fa1dd504b9ca52c5aa8 > : > This thread is missing a bunch of context...so I'll try to add it I guess. > > > net-dns/dnssec-root: Blind stable on arm, critical bug 667774 > > > > Note that this is a major fail for a stable architecture. > > In addition, all arm devboxes are currently offline. > > > > Bug: https://bugs.gentoo.org/667774 > > Signed-off-by: Andreas K. Hüttel > > Package-Manager: Portage-2.3.49, Repoman-2.3.11 > > ...and now let's all sit down and enjoy how stable ARM users lose access > to the Internet and have to figure out how to deactivate DNSSEC to get > back online. ;] > I can't tell if the complaint is that: 1) Someone blind-stabled something on arm and it broke (doesn't build?) 2) The arm team failed to mark a package stable before a hard deadline (DNSSEC key rotation) I presume its the latter? Whats the impact? All DNS, or only DNSSEC validated entries? > Maybe it is time to destabilize ARM on Gentoo to stop the impression > that we really support ARM. > I'm not really sure I buy this as an argument; but then again I think there is a general expectation that Gentoo users using 'are paying attention'[0] so stable arm users would have unmasked the ~arch version of the keys long before today. [0] Particularly people using DNSSEC...but maybe I'm just a curmudgeon. > > > -- > Regards, > Thomas Deutschmann / Gentoo Linux Developer > C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 > >
Re: [gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
October 11, 2018 5:10 PM, "Thomas Deutschmann" wrote: > Let me quote > https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6f6bb91b7f134a121ef9fa1dd504b9ca52c5aa8: > >> net-dns/dnssec-root: Blind stable on arm, critical bug 667774 >> >> Note that this is a major fail for a stable architecture. >> In addition, all arm devboxes are currently offline. >> >> Bug: https://bugs.gentoo.org/667774 >> Signed-off-by: Andreas K. Hüttel >> Package-Manager: Portage-2.3.49, Repoman-2.3.11 > > ...and now let's all sit down and enjoy how stable ARM users lose access > to the Internet and have to figure out how to deactivate DNSSEC to get > back online. ;] > > Maybe it is time to destabilize ARM on Gentoo to stop the impression > that we really support ARM. What's a "blind stable"? I'm guessing stabilizing without testing? If yes, why? I'm almost happy I dont use dnssec for once. Corentin “Nado” Pazdera
[gentoo-dev] net-dns/dnssec-root: Blind stable on arm, critical bug 667774
Let me quote https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6f6bb91b7f134a121ef9fa1dd504b9ca52c5aa8: > net-dns/dnssec-root: Blind stable on arm, critical bug 667774 > > Note that this is a major fail for a stable architecture. > In addition, all arm devboxes are currently offline. > > Bug: https://bugs.gentoo.org/667774 > Signed-off-by: Andreas K. Hüttel > Package-Manager: Portage-2.3.49, Repoman-2.3.11 ...and now let's all sit down and enjoy how stable ARM users lose access to the Internet and have to figure out how to deactivate DNSSEC to get back online. ;] Maybe it is time to destabilize ARM on Gentoo to stop the impression that we really support ARM. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 signature.asc Description: OpenPGP digital signature
[gentoo-dev] Last rites: net-libs/libgcal
# Virgil Dupras (11 Oct 2018) # Dead upstream, unmaintained, no revdep. Removal in 30 days. # Bug #659532 net-libs/libgcal pgpG5rFWn0DSx.pgp Description: PGP signature
[gentoo-dev] Last rites: dev-libs/MicroJSON
# Virgil Dupras (11 Oct 2018) # Unmaintained, no revdep. Removal in 30 days. # Bug #661554 Bug #661552 dev-libs/MicroJSON dev-libs/UTF8Strings pgpW27TEA8__V.pgp Description: PGP signature