Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 05.04.2012 14:19, schrieb Romain d'Alverny: On Thu, Apr 5, 2012 at 08:11, Maarten Vanraes al...@rmail.be wrote: Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten. Would have been good to raise this point in Council way sooner. No other than the maintainers may answer both questions (about changes, and about contact/permissions from Mozilla). For Firefox it's dmorgan and for Thunderbird it's anssi. For thunderbird it's actually me, Anssi grabbed it on my behalf when i was still apprentice ;)
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Op zaterdag 07 april 2012 20:50:03 schreef Florian Hubold: Am 05.04.2012 14:19, schrieb Romain d'Alverny: On Thu, Apr 5, 2012 at 08:11, Maarten Vanraes al...@rmail.be wrote: Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten. Would have been good to raise this point in Council way sooner. No other than the maintainers may answer both questions (about changes, and about contact/permissions from Mozilla). For Firefox it's dmorgan and for Thunderbird it's anssi. For thunderbird it's actually me, Anssi grabbed it on my behalf when i was still apprentice ;) no offense, but if you're the thunderbird maintainer, why don't you ask mozilla about it? tell them if we're not getting this official permission we won't ship it and do the iceape thing instead...
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 07.04.2012 20:59, schrieb Maarten Vanraes: Op zaterdag 07 april 2012 20:50:03 schreef Florian Hubold: Am 05.04.2012 14:19, schrieb Romain d'Alverny: On Thu, Apr 5, 2012 at 08:11, Maarten Vanraes al...@rmail.be wrote: Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten. Would have been good to raise this point in Council way sooner. No other than the maintainers may answer both questions (about changes, and about contact/permissions from Mozilla). For Firefox it's dmorgan and for Thunderbird it's anssi. For thunderbird it's actually me, Anssi grabbed it on my behalf when i was still apprentice ;) no offense, but if you're the thunderbird maintainer, why don't you ask mozilla about it? tell them if we're not getting this official permission we won't ship it and do the iceape thing instead... Did you read my previous mails? I've asked Kev Needham, mozilla distribution channel manager, about the approval process, sadly no answer yet.
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Op zaterdag 07 april 2012 21:14:00 schreef Florian Hubold: Am 07.04.2012 20:59, schrieb Maarten Vanraes: Op zaterdag 07 april 2012 20:50:03 schreef Florian Hubold: Am 05.04.2012 14:19, schrieb Romain d'Alverny: On Thu, Apr 5, 2012 at 08:11, Maarten Vanraes al...@rmail.be wrote: Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten. Would have been good to raise this point in Council way sooner. No other than the maintainers may answer both questions (about changes, and about contact/permissions from Mozilla). For Firefox it's dmorgan and for Thunderbird it's anssi. For thunderbird it's actually me, Anssi grabbed it on my behalf when i was still apprentice ;) no offense, but if you're the thunderbird maintainer, why don't you ask mozilla about it? tell them if we're not getting this official permission we won't ship it and do the iceape thing instead... Did you read my previous mails? I've asked Kev Needham, mozilla distribution channel manager, about the approval process, sadly no answer yet. ah, mea culpa, i must've missed a few and too bad though... you can ask a few more people and CC some of the important people (or ones having good connections) like annael, stewb or such... otoh, silence is acceptance is one of my favourite sayings...
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 07.04.2012 21:25, schrieb Maarten Vanraes: Op zaterdag 07 april 2012 21:14:00 schreef Florian Hubold: Am 07.04.2012 20:59, schrieb Maarten Vanraes: Op zaterdag 07 april 2012 20:50:03 schreef Florian Hubold: Am 05.04.2012 14:19, schrieb Romain d'Alverny: On Thu, Apr 5, 2012 at 08:11, Maarten Vanraes al...@rmail.be wrote: Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten. Would have been good to raise this point in Council way sooner. No other than the maintainers may answer both questions (about changes, and about contact/permissions from Mozilla). For Firefox it's dmorgan and for Thunderbird it's anssi. For thunderbird it's actually me, Anssi grabbed it on my behalf when i was still apprentice ;) no offense, but if you're the thunderbird maintainer, why don't you ask mozilla about it? tell them if we're not getting this official permission we won't ship it and do the iceape thing instead... Did you read my previous mails? I've asked Kev Needham, mozilla distribution channel manager, about the approval process, sadly no answer yet. ah, mea culpa, i must've missed a few and too bad though... you can ask a few more people and CC some of the important people (or ones having good connections) like annael, stewb or such... otoh, silence is acceptance is one of my favourite sayings... Well, when i pointed out those branding issues before, noone was interested either, here on this list ...
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Op zaterdag 07 april 2012 23:48:59 schreef Florian Hubold: Am 07.04.2012 21:25, schrieb Maarten Vanraes: [...] otoh, silence is acceptance is one of my favourite sayings... Well, when i pointed out those branding issues before, noone was interested either, here on this list ... guilty as charged...
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: Am 26.03.2012 19:46, schrieb Florian Hubold: Hi all, i've taken a look at iceape and locally updated it to 2.7.2¹ after talking with maintainer about it, with the intent to at least push this to Mageia 1, because since initial import it has not received any security updates (and there are countless security problem) I've also completed the rebrand to iceape as far as i saw fit (change URL to release notes, applied some more debian rebranding patches, removed updater files and updater menu item, and some more smaller fixes, current svn diff is attached) and did some cleaning of old and unused stuff. ¹: I've only updated it to 2.7.2 as 2.8 does require newer NSPR, and that's a no-go for Mageia 1, which is my primary target. The biggest problem is: current maintainer does not have enough time to maintain it properly, and i'm not planning on doing it either, as i don't use it or know it well. There are at least 3 good options on how to proceed, apart from mga1 update: 1. push latest version to cauldron, and hope somebody will maintain it afterwards (this is the worst IMHO, as we'll probably face the same situation with a de-facto umaintained package throughout Mageia 2 lifetime, which i want to avoid) 2. drop iceape, package as seamonkey again and sync with Fedora (this one would at least make maintenance easier, only need to follow Fedora) 3. drop iceape completely (actually this has the advantage that users can have official upstream binaries, and take advantage of automatic updates. Current maintainer agrees with this, as it's simply too fragile for him to maintain it easily. If somebody is against this, please step up as maintainer or help the current maintainer) I'm currently in contact with some seamonkey developers, to maybe clear up why/if the rebrand is needed, if it's needed like it's currently done, and why Fedora can simply ship seamonkey without the need for a rebrand, but the dialog may take some time, this would be only relevant for option 2. If nobody responds, i'll push my current work as security update for Mageia 1, and drop iceape from cauldron so that we won't have an outdated package and a potential security risk for Mageia 2. Kind regards As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten.
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
On Thu, Apr 5, 2012 at 08:11, Maarten Vanraes al...@rmail.be wrote: Op woensdag 04 april 2012 22:59:30 schreef Florian Hubold: As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions. About the mozilla branding... Perhaps this should be a meeting point for packaging/council meeting... ie: someone assigned to this point so it's not forgotten. Would have been good to raise this point in Council way sooner. No other than the maintainers may answer both questions (about changes, and about contact/permissions from Mozilla). For Firefox it's dmorgan and for Thunderbird it's anssi.
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 26.03.2012 19:46, schrieb Florian Hubold: Hi all, i've taken a look at iceape and locally updated it to 2.7.2¹ after talking with maintainer about it, with the intent to at least push this to Mageia 1, because since initial import it has not received any security updates (and there are countless security problem) I've also completed the rebrand to iceape as far as i saw fit (change URL to release notes, applied some more debian rebranding patches, removed updater files and updater menu item, and some more smaller fixes, current svn diff is attached) and did some cleaning of old and unused stuff. ¹: I've only updated it to 2.7.2 as 2.8 does require newer NSPR, and that's a no-go for Mageia 1, which is my primary target. The biggest problem is: current maintainer does not have enough time to maintain it properly, and i'm not planning on doing it either, as i don't use it or know it well. There are at least 3 good options on how to proceed, apart from mga1 update: 1. push latest version to cauldron, and hope somebody will maintain it afterwards (this is the worst IMHO, as we'll probably face the same situation with a de-facto umaintained package throughout Mageia 2 lifetime, which i want to avoid) 2. drop iceape, package as seamonkey again and sync with Fedora (this one would at least make maintenance easier, only need to follow Fedora) 3. drop iceape completely (actually this has the advantage that users can have official upstream binaries, and take advantage of automatic updates. Current maintainer agrees with this, as it's simply too fragile for him to maintain it easily. If somebody is against this, please step up as maintainer or help the current maintainer) I'm currently in contact with some seamonkey developers, to maybe clear up why/if the rebrand is needed, if it's needed like it's currently done, and why Fedora can simply ship seamonkey without the need for a rebrand, but the dialog may take some time, this would be only relevant for option 2. If nobody responds, i'll push my current work as security update for Mageia 1, and drop iceape from cauldron so that we won't have an outdated package and a potential security risk for Mageia 2. Kind regards As there was no real objection, and no other comments or votes for iceape, i've dropped it from cauldron. FWIW i'm quite unhappy with this. Related, i've also not got any reply yet to my aforementioned inquiry about mozilla branding permissions.
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 30.03.2012 11:41, schrieb Samuel Verschelde: Le mardi 27 mars 2012 21:10:04, Florian Hubold a écrit : So if noone volunteers and ensures to keep it updated for stable distros, i'm gonna drop it from cauldron next week, before it's too late. What about adding it to task-obsolete and then if no maintainer is found for Mageia 3 drop it completely? Samuel Well, dropping it means obsoleting it. It can be revived at any later time if someone feels up to it. Seems we mean the same thing, which was documented by boklm at https://wiki.mageia.org/en/Packaging_guidelines#Obsoleting_a_package Feel free to have a look if the servers are back up again ;)
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Le mardi 27 mars 2012 21:10:04, Florian Hubold a écrit : So if noone volunteers and ensures to keep it updated for stable distros, i'm gonna drop it from cauldron next week, before it's too late. What about adding it to task-obsolete and then if no maintainer is found for Mageia 3 drop it completely? Samuel
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
On Thu, Mar 29, 2012 at 12:13:02PM +0200, nicolas vigier wrote: It seems that if we don't have major changes, there should be no problem to have permission. So I think someone should ask for permission for firefox and thunderbird. Does anyone know where it should be asked ? The page at http://www.mozilla.org/foundation/trademarks/policy.html describes the policy. The policy covers the case of compiling from pristine sources: If you compile Mozilla unmodified source code (including code and config files in the installer) and do not charge for it, you do not need additional permission from Mozilla to use the relevant Mozilla Mark(s) for your compiled version. and the case of highly modified source: If you're...making significant functional changes, you may not redistribute the fruits of your labor under any Mozilla trademark, without Mozilla's prior written consent. and in a final section, also the case of making minor changes: Again, any modification to the Mozilla product...will require our permission if you want to use the Mozilla Marks. So, if we're applying any patches at all, we'll need to ask permission. Dan
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
On Wed, 28 Mar 2012, Florian Hubold wrote: OK, so how do we handle this? As there is no explicit permission by Mozilla to have us ship officially branded Mozilla apps, as i've put up before, or at least i don't know of any explicit permission. It seems that if we don't have major changes, there should be no problem to have permission. So I think someone should ask for permission for firefox and thunderbird. Does anyone know where it should be asked ?
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 29.03.2012 12:13, schrieb nicolas vigier: On Wed, 28 Mar 2012, Florian Hubold wrote: OK, so how do we handle this? As there is no explicit permission by Mozilla to have us ship officially branded Mozilla apps, as i've put up before, or at least i don't know of any explicit permission. It seems that if we don't have major changes, there should be no problem to have permission. So I think someone should ask for permission for firefox and thunderbird. Does anyone know where it should be asked ? Judging by https://bugzilla.mozilla.org/show_bug.cgi?id=555935 it should be done through Mozilla bugzilla, and they're going through each patch and every change. But i don't see chances that we'll get through this until release freeze, that's why i've tried to put this up before. I've just mailed Kev Needham (Mozilla Distribution Channel Manager) how to proceed with a trademark permission request and if there's an estimate how much time that would take.
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 26.03.2012 19:46, schrieb Florian Hubold: I'm currently in contact with some seamonkey developers, to maybe clear up why/if the rebrand is needed, if it's needed like it's currently done, and why Fedora can simply ship seamonkey without the need for a rebrand, but the dialog may take some time, this would be only relevant for option 2. As a followup, an answer from Justin Callek, seamonkey developer: Am 28.03.2012 19:02, schrieb Justin Wood (Callek): Florian Hubold wrote: Could you please expand on this, and tell me if we need to rebrand seamonkey if we want to ship it, and how far the rebrand has to go and under which conditions we need to do the rebrand. As i'm currently wondering why f.ex. Fedora can ship seamonkey without any rebranding, or do they have official approval? Top of my head I'm not sure on the Fedora situation, so I won't comment on that. You know whom i can ask about this? No pressing issue, though ... Would be nice if somebody could tell me wether the Fedora way is approved, because one of my options would be to drop iceape in it's current form as it's hassle to maintain, and to reimport seamonkey as Fedora packages it: http://pkgs.fedoraproject.org/gitweb/?p=seamonkey.git;a=tree Will address the rest of your message later, but this for now... I will thank Robert Kaiser for providing the wording for the answer of the following, not sure if he meant to send it directly to you as well, but this makes my reply soo much easier. `so far, we've handled those cases with a stance of if you have permission from Mozilla to ship an officially branded Firefox (and Thunderbird) with those code changes, you have permission to ship SeaMonkey with those same changes - if you don't modify the code or deactivate (major) features, you're always allowed to ship with official branding. As most of those distros offer Firefox and Thunderbird as well, usually with higher priorities as SeaMonkey, that has worked out fine so far without needing special additional rules. ` As said I'll skim the changes you mentioned, but if you are able to ship Firefox/Thunderbird with these changes and with official branding, consider it a 'go' from us. OK, so how do we handle this? As there is no explicit permission by Mozilla to have us ship officially branded Mozilla apps, as i've put up before, or at least i don't know of any explicit permission. As this applies to Firefox and Thunderbird as well ...
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 26.03.2012 21:29, schrieb Samuel Verschelde: Le lundi 26 mars 2012 19:46:56, Florian Hubold a écrit : If nobody responds, i'll push my current work as security update for Mageia 1, and drop iceape from cauldron so that we won't have an outdated package and a potential security risk for Mageia 2. The problem with dropping a package that was present in Mageia 1, in my opinion, is that it's too late to do so. By shipping it we implicitly promised to maintain it. Of course with that kind of logic we would never drop any package, but I just wanted to point out that dropping a package is not that an easy solution : when dropping something, there should be a note somewhere (in the errata?), there should be a warning before upgrade (ideally the following packages found on your system are no longer supported in Mageia 2 and will not get security updates. Do you want to continue?). I'm not volunteering to maintain it, so I won't strongly oppose dropping it, but if possible I'd like we actively looked for a maintainer first rather and drop it only as a last solution. Best regards Samuel Verschelde Well, i've put this up multiple times before, the rebrand and the missing security updates, now that nothing has happened, i've at least worked on a solution for Mageia 1. But we should try to keep it sustainable in the long term. So please not make that we should look for a maintainer as then IMHO nothing will happen by itself, but just propose to feed it to Cerberus. Wasn't the goal some time ago to have no packages maintained by infamous nobody? Now we have packages, which are not really maintained. This is quite a step back. Also please consider that nobody was interested about discussing a proposal for a policy about unresponsive maintainers, which is a really similar topic, IMHO. Quite sad overall, if you ask me, and much room for improvements. So if noone volunteers and ensures to keep it updated for stable distros, i'm gonna drop it from cauldron next week, before it's too late. PS: IMHO, we didn't promise to people we will maintain this collection of software eternally this is just not realistic and not possible, but we promised stable packages of a good quality. Neither is fulfilled in this case.
[Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Hi all, i've taken a look at iceape and locally updated it to 2.7.2¹ after talking with maintainer about it, with the intent to at least push this to Mageia 1, because since initial import it has not received any security updates (and there are countless security problem) I've also completed the rebrand to iceape as far as i saw fit (change URL to release notes, applied some more debian rebranding patches, removed updater files and updater menu item, and some more smaller fixes, current svn diff is attached) and did some cleaning of old and unused stuff. ¹: I've only updated it to 2.7.2 as 2.8 does require newer NSPR, and that's a no-go for Mageia 1, which is my primary target. The biggest problem is: current maintainer does not have enough time to maintain it properly, and i'm not planning on doing it either, as i don't use it or know it well. There are at least 3 good options on how to proceed, apart from mga1 update: 1. push latest version to cauldron, and hope somebody will maintain it afterwards (this is the worst IMHO, as we'll probably face the same situation with a de-facto umaintained package throughout Mageia 2 lifetime, which i want to avoid) 2. drop iceape, package as seamonkey again and sync with Fedora (this one would at least make maintenance easier, only need to follow Fedora) 3. drop iceape completely (actually this has the advantage that users can have official upstream binaries, and take advantage of automatic updates. Current maintainer agrees with this, as it's simply too fragile for him to maintain it easily. If somebody is against this, please step up as maintainer or help the current maintainer) I'm currently in contact with some seamonkey developers, to maybe clear up why/if the rebrand is needed, if it's needed like it's currently done, and why Fedora can simply ship seamonkey without the need for a rebrand, but the dialog may take some time, this would be only relevant for option 2. If nobody responds, i'll push my current work as security update for Mageia 1, and drop iceape from cauldron so that we won't have an outdated package and a potential security risk for Mageia 2. Kind regards
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Am 26.03.2012 19:46, schrieb Florian Hubold: Hi all, i've taken a look at iceape and locally updated it to 2.7.2¹ after talking with maintainer about it, with the intent to at least push this to Mageia 1, because since initial import it has not received any security updates (and there are countless security problem) I've also completed the rebrand to iceape as far as i saw fit (change URL to release notes, applied some more debian rebranding patches, removed updater files and updater menu item, and some more smaller fixes, current svn diff is attached) and did some cleaning of old and unused stuff. Sorry, fingers were too fast, not attached, as it's quite big, but here's a pastebin of it if somebody is really interested: http://pastebin.com/LKVPEpgG ¹: I've only updated it to 2.7.2 as 2.8 does require newer NSPR, and that's a no-go for Mageia 1, which is my primary target. The biggest problem is: current maintainer does not have enough time to maintain it properly, and i'm not planning on doing it either, as i don't use it or know it well. There are at least 3 good options on how to proceed, apart from mga1 update: 1. push latest version to cauldron, and hope somebody will maintain it afterwards (this is the worst IMHO, as we'll probably face the same situation with a de-facto umaintained package throughout Mageia 2 lifetime, which i want to avoid) 2. drop iceape, package as seamonkey again and sync with Fedora (this one would at least make maintenance easier, only need to follow Fedora) 3. drop iceape completely (actually this has the advantage that users can have official upstream binaries, and take advantage of automatic updates. Current maintainer agrees with this, as it's simply too fragile for him to maintain it easily. If somebody is against this, please step up as maintainer or help the current maintainer) I'm currently in contact with some seamonkey developers, to maybe clear up why/if the rebrand is needed, if it's needed like it's currently done, and why Fedora can simply ship seamonkey without the need for a rebrand, but the dialog may take some time, this would be only relevant for option 2. If nobody responds, i'll push my current work as security update for Mageia 1, and drop iceape from cauldron so that we won't have an outdated package and a potential security risk for Mageia 2. Kind regards
Re: [Mageia-dev] [RFC] How to proceed with seamonkey/iceape for security updates and freeze push
Le lundi 26 mars 2012 19:46:56, Florian Hubold a écrit : If nobody responds, i'll push my current work as security update for Mageia 1, and drop iceape from cauldron so that we won't have an outdated package and a potential security risk for Mageia 2. The problem with dropping a package that was present in Mageia 1, in my opinion, is that it's too late to do so. By shipping it we implicitly promised to maintain it. Of course with that kind of logic we would never drop any package, but I just wanted to point out that dropping a package is not that an easy solution : when dropping something, there should be a note somewhere (in the errata?), there should be a warning before upgrade (ideally the following packages found on your system are no longer supported in Mageia 2 and will not get security updates. Do you want to continue?). I'm not volunteering to maintain it, so I won't strongly oppose dropping it, but if possible I'd like we actively looked for a maintainer first rather and drop it only as a last solution. Best regards Samuel Verschelde
