View previous topic :: View next topic |
Author |
Message |
Glorandar n00b
Joined: 15 Jun 2003 Posts: 64 Location: Vancouver, BC, Canada
|
Posted: Wed Dec 21, 2005 12:27 am Post subject: Latest x86 stable kdpf ebuild cites a secret gentoo bug? |
|
|
When I was reviewing today's newly stable x86 (stable) packages, I came across this updated kpdf:
Quote: | kpdf 3.4.3-r3, Tue Dec 20 20:36:15 2005
Description: kpdf, a kde pdf viewer based on xpdf
Changes:
20 Dec 2005; Mark Loeser (halcy0n) kpdf-3.4.3-r3.ebuild: Stable on x86; bug #115851 | As you can see, it cites gentoo bug #115851
Well, when I queried gentoo bug #115851, I got the following response from bugzilla (despite being logged in): Quote: |
Access Denied
You are not authorized to access bug #115851.
Please press Back and try again. |
This begs the question: What is so secret that a user (me) doesn't have access to the bug report?
If it is a deep secret, why cite it in the ebuild's ChangeLog?
Of course, this might be merely a typo in the ChangeLog...
Further, why would I trust this kdpf ebuild enough, given this "access denied bug" to install it on my workstation? _________________ ----- Glorandar |
|
Back to top |
|
|
Catch-22 Apprentice
Joined: 22 Oct 2004 Posts: 244
|
Posted: Wed Dec 21, 2005 12:32 am Post subject: |
|
|
you could always diff the source... |
|
Back to top |
|
|
Earthwings Bodhisattva
Joined: 14 Apr 2003 Posts: 7753 Location: Germany
|
Posted: Wed Dec 21, 2005 12:34 am Post subject: |
|
|
Some bugs (e.g. security related) are restricted to developers or people with similar access rights. Please file a bug report that either the access settings for this bug should be changed (if it's a security problem that got fixed, this should be fine now) or the ebuild message should be changed. _________________ KDE |
|
Back to top |
|
|
reynolds531 Apprentice
Joined: 23 Apr 2005 Posts: 260 Location: Rochester, NY
|
Posted: Wed Dec 21, 2005 12:37 am Post subject: |
|
|
I'm just guessing, but there was a recent security problem with xpdf and the programs that rely on xpdf code (among them kpdf, I believe). It's possible this bug was masked to avoid revealing an exploit before the fix was made. Or maybe George Bush is running gentoo these days. |
|
Back to top |
|
|
Catch-22 Apprentice
Joined: 22 Oct 2004 Posts: 244
|
Posted: Wed Dec 21, 2005 12:38 am Post subject: |
|
|
maybe they're just waiting for the new version to be marked stable on all archs?
*shrugs* |
|
Back to top |
|
|
ciaranm Retired Dev
Joined: 19 Jul 2003 Posts: 1719 Location: In Hiding
|
Posted: Wed Dec 21, 2005 6:50 am Post subject: |
|
|
Rather icky situation. For certain security bugs, we have to agree not to disclose them (even to most Gentoo developers, hence the piss-poor QA done on many security bumps) for a certain amount of time, or we won't be told about them. If we don't agree to VendorSec's demands on this, we end up having to wait for months after the other distributions do fixes before we get the details...
Wouldn't be so bad if it were only a week or so, but quite often it isn't... |
|
Back to top |
|
|
codergeek42 Bodhisattva
Joined: 05 Apr 2004 Posts: 5142 Location: Anaheim, CA (USA)
|
Posted: Wed Dec 21, 2005 7:46 am Post subject: |
|
|
So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. _________________ ~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
Back to top |
|
|
playfool l33t
Joined: 01 Jun 2004 Posts: 688 Location: Ã
rhus, Denmark
|
Posted: Wed Dec 21, 2005 10:08 am Post subject: |
|
|
codergeek42 wrote: | So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. |
Yep, VendorSec sucks the big one one one when it comes to disclosure. |
|
Back to top |
|
|
ciaranm Retired Dev
Joined: 19 Jul 2003 Posts: 1719 Location: In Hiding
|
Posted: Wed Dec 21, 2005 5:57 pm Post subject: |
|
|
codergeek42 wrote: | So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. |
Yup, we have to wait until RedHat, Debian et al. are up to date. |
|
Back to top |
|
|
codergeek42 Bodhisattva
Joined: 05 Apr 2004 Posts: 5142 Location: Anaheim, CA (USA)
|
Posted: Wed Dec 21, 2005 5:58 pm Post subject: |
|
|
Ah. Ok. Thanks for the explanation. _________________ ~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
Back to top |
|
|
Carlo Developer
Joined: 12 Aug 2002 Posts: 3356
|
Posted: Thu Dec 22, 2005 5:38 pm Post subject: |
|
|
codergeek42 wrote: | So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. |
Yes, it's pretty braindead. Everyone can grab the code from KDE svn and inspect it, while some vendor-sec participants seem to value their holidays... I'd love if we had a better message than "access denied" as long as we can't open the bug and announce the issue. _________________ Please make sure that you have searched for an answer to a question after reading all the relevant docs. |
|
Back to top |
|
|
ciaranm Retired Dev
Joined: 19 Jul 2003 Posts: 1719 Location: In Hiding
|
Posted: Thu Dec 22, 2005 6:39 pm Post subject: |
|
|
Carlo wrote: | Yes, it's pretty braindead. Everyone can grab the code from KDE svn and inspect it, while some vendor-sec participants seem to value their holidays... I'd love if we had a better message than "access denied" as long as we can't open the bug and announce the issue. |
You should ask Jeff. You know how much he loves tinkering with the Bugzilla source. |
|
Back to top |
|
|
|