| View previous topic :: View next topic |
| Author |
Message |
Glorandar
n00b
Joined: 15 Jun 2003
Posts: 64
Location: Vancouver, BC, Canada
|
 Posted: Wed Dec 21, 2005 12:27 am Post subject: Latest x86 stable kdpf ebuild cites a secret gentoo bug? |
 |
|
When I was reviewing today's newly stable x86 (stable) packages, I came across this updated kpdf:
| Quote: | kpdf 3.4.3-r3, Tue Dec 20 20:36:15 2005
Description: kpdf, a kde pdf viewer based on xpdf
Changes:
20 Dec 2005; Mark Loeser (halcy0n) kpdf-3.4.3-r3.ebuild: Stable on x86; bug #115851 |
As you can see, it cites gentoo bug #115851
Well, when I queried gentoo bug #115851, I got the following response from bugzilla (despite being logged in): | Quote: |
Access Denied
You are not authorized to access bug #115851.
Please press Back and try again. |
This begs the question: What is so secret that a user (me) doesn't have access to the bug report?
If it is a deep secret, why cite it in the ebuild's ChangeLog?
Of course, this might be merely a typo in the ChangeLog...
Further, why would I trust this kdpf ebuild enough, given this "access denied bug" to install it on my workstation?
_________________
----- Glorandar |
|
| Back to top |
|
 |
Catch-22
Apprentice
Joined: 22 Oct 2004
Posts: 244
|
| Posted: Wed Dec 21, 2005 12:32 am Post subject: |
|
|
| you could always diff the source... |
|
| Back to top |
|
|
Earthwings
Bodhisattva
Joined: 14 Apr 2003
Posts: 7753
Location: Germany
|
| Posted: Wed Dec 21, 2005 12:34 am Post subject: |
|
|
Some bugs (e.g. security related) are restricted to developers or people with similar access rights. Please file a bug report that either the access settings for this bug should be changed (if it's a security problem that got fixed, this should be fine now) or the ebuild message should be changed.
_________________
KDE |
|
| Back to top |
|
|
reynolds531
Apprentice
Joined: 23 Apr 2005
Posts: 260
Location: Rochester, NY
|
| Posted: Wed Dec 21, 2005 12:37 am Post subject: |
|
|
| I'm just guessing, but there was a recent security problem with xpdf and the programs that rely on xpdf code (among them kpdf, I believe). It's possible this bug was masked to avoid revealing an exploit before the fix was made. Or maybe George Bush is running gentoo these days. |
|
| Back to top |
|
|
Catch-22
Apprentice
Joined: 22 Oct 2004
Posts: 244
|
| Posted: Wed Dec 21, 2005 12:38 am Post subject: |
|
|
maybe they're just waiting for the new version to be marked stable on all archs?
*shrugs* |
|
| Back to top |
|
|
ciaranm
Retired Dev
Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding
|
| Posted: Wed Dec 21, 2005 6:50 am Post subject: |
|
|
Rather icky situation. For certain security bugs, we have to agree not to disclose them (even to most Gentoo developers, hence the piss-poor QA done on many security bumps) for a certain amount of time, or we won't be told about them. If we don't agree to VendorSec's demands on this, we end up having to wait for months after the other distributions do fixes before we get the details...
Wouldn't be so bad if it were only a week or so, but quite often it isn't... |
|
| Back to top |
|
|
codergeek42
Bodhisattva
Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)
|
| Posted: Wed Dec 21, 2005 7:46 am Post subject: |
|
|
So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow.
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
| Back to top |
|
|
playfool
l33t
Joined: 01 Jun 2004
Posts: 688
Location: Ã
rhus, Denmark
|
| Posted: Wed Dec 21, 2005 10:08 am Post subject: |
|
|
| codergeek42 wrote: | | So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. |
Yep, VendorSec sucks the big one one one when it comes to disclosure. |
|
| Back to top |
|
|
ciaranm
Retired Dev
Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding
|
| Posted: Wed Dec 21, 2005 5:57 pm Post subject: |
|
|
| codergeek42 wrote: | | So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. |
Yup, we have to wait until RedHat, Debian et al. are up to date. |
|
| Back to top |
|
|
codergeek42
Bodhisattva
Joined: 05 Apr 2004
Posts: 5142
Location: Anaheim, CA (USA)
|
| Posted: Wed Dec 21, 2005 5:58 pm Post subject: |
|
|
Ah. Ok. Thanks for the explanation. 
_________________
~~ Peter: Programmer, Mathematician, STEM & Free Software Advocate, Enlightened Agent, Transhumanist, Fedora contributor
Who am I? :: EFF & FSF |
|
| Back to top |
|
|
Carlo
Developer
Joined: 12 Aug 2002
Posts: 3356
|
| Posted: Thu Dec 22, 2005 5:38 pm Post subject: |
|
|
| codergeek42 wrote: | | So even after it's all been patched and whatnot, you're still required to keep it hidden for a while? Wow. |
Yes, it's pretty braindead. Everyone can grab the code from KDE svn and inspect it, while some vendor-sec participants seem to value their holidays... I'd love if we had a better message than "access denied" as long as we can't open the bug and announce the issue.
_________________
Please make sure that you have searched for an answer to a question after reading all the relevant docs. |
|
| Back to top |
|
|
ciaranm
Retired Dev
Joined: 19 Jul 2003
Posts: 1719
Location: In Hiding
|
| Posted: Thu Dec 22, 2005 6:39 pm Post subject: |
|
|
| Carlo wrote: | | Yes, it's pretty braindead. Everyone can grab the code from KDE svn and inspect it, while some vendor-sec participants seem to value their holidays... I'd love if we had a better message than "access denied" as long as we can't open the bug and announce the issue. |
You should ask Jeff. You know how much he loves tinkering with the Bugzilla source. |
|
| Back to top |
|
|
|
Gentoo Chat
