Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
* Edd Barrett [2007-11-29]: > instead you should urge the project to pay more attention to the > stable branch, if thats how you feel. You cannot urge the project, that's not how we work. You have to find a developer and convince him to take responsibility. I tried it several times and failed, which is easily understandable: -stable maintenance doesn't give anything back to the developer who does it, it's just work and it never ends. > Backporting is quite a simple process. Usually you can try the one Certainly not! Backporting is often enough an extremely complex process, you have to make sure not to break compatibility, sometimes you have to dig through source code to find that one security fix, you are looking for but which isn't marked in any sensible way. Nikolay -- "It's all part of my Can't-Do approach to life." Wally
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On 29/11/2007, Nikns Siankin <[EMAIL PROTECTED]> wrote: > Maybe some ports@ people (not openbsd developers, since they could do that > already) could create cvs server and maintain -stable ports tree by > themselves? Please no. instead you should urge the project to pay more attention to the stable branch, if thats how you feel. Post *your* (yes you) patches for -stable and people can test them, if they work I am sure you can find a developer to commit them. Backporting is quite a simple process. Usually you can try the one from -current and just check "make lib-depends-check". Sometimes libraries move from ports to base or vica versa which can complicate thing slightly. I'm not sure what you would do with the version number of the port though? Is it the same as in -current? -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Thu, Nov 29, 2007 at 12:46:27AM -0800, J.C. Roberts wrote: > > Maybe some ports@ people (not openbsd developers, since they could do > > that already) could create cvs server and maintain -stable ports tree > > by themselves? > > > > > > I would step in. > > And why the hell would you trust a third part cvs server of ports-stable > if it's not being run by the same security conscious folks who normally > handle the ports tree? You don't have to trust it. It's not a bad idea per se. This is how open source is supposed to work. I would not tell people not to do this, even if they did it only to gain some experience with porting. If such a project were launched, it's possible that at some point in time some people will have grown the skills to maintain the proper -stable ports tree. OpenBSD needs these people to fill the gap. In the worst case, no one ever checks out their 3rd party ports tree. But no one is losing anything. -- stefan http://stsp.name PGP Key: 0xF59D25F0 pgpGERine4AL7.pgp Description: PGP signature
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Wed, Nov 28, 2007 at 09:15:48PM -0800, Unix Fan wrote: > In any sense, I backported and compiled Firefox 2.0.0.10... It seems to be > working.. Great. See, it's not that hard :) > I'll upload a precompiled package if anyone else wants it... ;) Diffs against the ports tree are *much* better than binaries for a community-driven maintenance approach. Unless they come form a trusted source (officially endorsed OpenBSD -stable ports tree maintainer) nobody is gonna install binaries. You cannot review binaries before applying them to your system (in a reasonable amount of time). -- stefan http://stsp.name PGP Key: 0xF59D25F0 pgpY9Cxwoyol7.pgp Description: PGP signature
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Wednesday 28 November 2007, Nikns Siankin wrote: > On Wed, Nov 28, 2007 at 03:49:16PM -0800, Unix Fan wrote: > >This really is stupid, a majority of the users of OpenBSD purchased > > 4.2 CD's.. are likely expecting it would be a supported release. > > > >-CURRENT is a rapidly moving target, and I don't feel like updating > > my kernel a billion times a month... just to get the latest version > > of firefox! > > > >Ports should only be updated for the "latest" release, not > > -CURRENT... a secure OS is nothing without secure software... > > I agree with you completely! > > Maybe some ports@ people (not openbsd developers, since they could do > that already) could create cvs server and maintain -stable ports tree > by themselves? > > > I would step in. And why the hell would you trust a third part cvs server of ports-stable if it's not being run by the same security conscious folks who normally handle the ports tree? While you're at it, how many of the supported archs do you own? Even if you happen to own the required hardware, how many of them are running 4.2-STABLE at this moment? http://www.openbsd.org/goals.html * Provide the best development platform possible ... * Focus on being developer-oriented in all senses ... The developers run -CURRENT. It's where the real work gets done. They dedicate their free time to making things better for the next release and no one has the right to tell them how to spend their free time. And guess what, I only run -STABLE (with the rare exception when a dev asks me to do otherwise on a test box). Worse yet, I've spent the last week of my life trying to backport the changes to KDE (and all related audio libs) to just get aRts working again. Even if by some miracle I succeed, do you really want to be running my Franken-Source? -Truth be told, *I* do not even want to be running my own Franken-Source but I hope it won't hurt me too much to give fixing it a try (and I might be totally wrong about the "not hurting myself" part). You need to accept the fact that there is simply not enough free time available for the real developers to do everything. Kind Regards, JCR
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Wed, Nov 28, 2007 at 03:49:16PM -0800, Unix Fan wrote: >This really is stupid, a majority of the users of OpenBSD purchased 4.2 CD's.. >are likely expecting it would be a supported release. > >-CURRENT is a rapidly moving target, and I don't feel like updating my kernel >a billion times a month... just to get the latest version of firefox! > >Ports should only be updated for the "latest" release, not -CURRENT... a >secure OS is nothing without secure software... I agree with you completely! Maybe some ports@ people (not openbsd developers, since they could do that already) could create cvs server and maintain -stable ports tree by themselves? I would step in. > >-Nix Fan.
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
> based on the way you've chosen to address the issue you probably have no > clue about what additional actual security is supplied by going 2.0.0.9 > -> 2.0.0.10. if this is so freaking important, why not post some code > for the killer exploit that you can run against firefox 2.0.0.9? For your information, OpenBSD 4.2 is still using Firefox 2.0.0.6... not even 2.0.0.9 is available for 4.2 users.. Even OpenBSD 4.1 has a stable port of 2.0.0.7, but still... 4.2 users have an older version... sanity? I think not!! In any sense, I backported and compiled Firefox 2.0.0.10... It seems to be working.. I'll upload a precompiled package if anyone else wants it... ;) -Nix Fan.
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Thu, 28 Nov 2007, Unix Fan wrote: a secure OS is nothing without secure software... I wouldn't say nothing! It is definitely a good thing that the base system is secure. (For example, it's usually possible to use only the base system when doing system maintenance, which limits the risk of unauthorized root access due to unsecure ports and packages.) And if you need really secure and robust applications as well, be sure to note the important disclaimer at http://www.openbsd.org/faq/faq15.html#Intro: "The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security." That is, just improving tracking and distribution of the latest upstream updates may not fulfill your needs completely... /Johan Zandin
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On 28 Nov 2007 15:49:16 -0800, Unix Fan <[EMAIL PROTECTED]> wrote: > Ports should only be updated for the "latest" release, not -CURRENT... a > secure OS is nothing without secure software... I strongly disagree. Introducing new features into a release willy nilly is a bad way to go about things. I see no problem with intergrating first in -current, then if there are security issues in -stable, backport. -- Best Regards Edd --- http://students.dec.bournemouth.ac.uk/ebarrett
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
[EMAIL PROTECTED] wrote: > This really is stupid, a majority of the users of OpenBSD > purchased 4.2 CD's.. are likely expecting it would be a supported > release. > > -CURRENT is a rapidly moving target, and I don't feel like > updating my kernel a billion times a month... just to get the > latest version of firefox! > > Ports should only be updated for the "latest" release, not > -CURRENT... a secure OS is nothing without secure software... > > -Nix Fan. Thank you for volunteering to keep ports -stable updated;-| I am also disappointed in the decision to shelf -stable ports (for the time being), but since I lack the time or talent to assist here, I certainly have no right to bitch about it. BTW, I was able to build -current www/mozilla-firefox on 4.2-stable yesterday, but it was 2.0.9. Looks like I can try 2.0.10... -Steve S.
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
This really is stupid, a majority of the users of OpenBSD purchased 4.2 CD's.. are likely expecting it would be a supported release. -CURRENT is a rapidly moving target, and I don't feel like updating my kernel a billion times a month... just to get the latest version of firefox! Ports should only be updated for the "latest" release, not -CURRENT... a secure OS is nothing without secure software... -Nix Fan.
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Wed, Nov 28, 2007 at 02:57:01PM -0800, Unix Fan wrote: > I've been using OpenBSD 4.2 (-STABLE) on my main workstations for a > few months now, but I'm confused with something... > > OpenBSD developers recommend that users use binary packages instead of > ports, but only users of the bleeding edge -CURRENT codebase get > access to the latest releases of Firefox (And friends?).. > > No offence intended, but when will 2.0.0.10 be available for OpenBSD > 4.2 users... 2.0.0.6 is outdated, and clearly not secure... As far as I know, there is currently no dedicated maintainer of the -stable ports tree anymore. I've seen various people post updates to various ports in the -stable ports tree to this list since. This is a good thing IMHO because it distributes the load of updating and backporting ports into -stable from one person to many. So it's possible that in due time someone might post an update of firefox to this list. You can either wait until someone else does it or do it yourself. -- stefan http://stsp.name PGP Key: 0xF59D25F0 pgp78nwDmXJjD.pgp Description: PGP signature
Re: Firefox 2.0.0.10? For OpenBSD 4.2-CURRENT only??
On Wed, Nov 28, 2007 at 02:57:01PM -0800, Unix Fan wrote: > I've been using OpenBSD 4.2 (-STABLE) on my main workstations for a few > months now, but I'm confused with something... > > OpenBSD developers recommend that users use binary packages instead of ports, > but only users of the bleeding edge -CURRENT codebase get access to the > latest releases of Firefox (And friends?).. > > No offence intended, but when will 2.0.0.10 be available for OpenBSD 4.2 > users... 2.0.0.6 is outdated, and clearly not secure... Probably never, as -stable branch for ports is dead. There has been lots of discussion on ports, and no one stepped up to help for its maintenance. Lack of time and manpower.. Landry