[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-release-team
Subject: Re: Leak of Frameworks 5.88.0
From: Ben Cooksley <bcooksley () kde ! org>
Date: 2021-11-14 3:52:46
Message-ID: CA+XidOEOfK0JtkEC_-ckVWTrbuY-Oreq3kK2Pg0aT70TAmX3Qw () mail ! gmail ! com
[Download RAW message or body]
On Sun, Nov 14, 2021 at 9:42 AM Marc Deop i Argem=C3=AD <
marcdeop@fedoraproject.org> wrote:
> On Saturday, 13 November 2021 03:49:32 CET Ben Cooksley wrote:
> > Hi all,
>
Hi Marc,
>
> > It has recently been brought to my attention that packages of KDE
> > Frameworks 5.88.0 have been prematurely released by the distribution
> > PCLinuxOS, as visible at https://repology.org/project/krunner/versions
> >
>
> Maybe (hopefully) it was just a mistake? We should contact them and ask.
> ( I
> acknowledge this seems like wishful thinking though).
>
> > they obtained the packages from someone else (either because they
> directly
> > shared their access, because they shared the packages with PCLinuxOS or
> > because PCLinuxOS has discovered the location of source packages for on=
e
> or
> > more distributions).
>
> As Neal mentioned in another email, some distros already have the package=
s
> prepared and they are publicly available (Fedora, Maegia and possibly
> others)
> although not in their stable releases.
>
> In particular, we (Fedora KDE-SIG) build the packages in Rawhide (the
> development version of Fedora) and we use a COPR( like an Ubuntu PPA)
> under my
> namespace to build packages for early adopters who help us find issues.
>
> Unfortunately, if somebody wants to gather the sources from those places
> they
> certainly can do so without real blockers.
>
> If it's a problem, we can stop building in COPR until the release is
> official. I
> asked a few months ago and I was told it was ok to have it as long as it
> was
> not publicly announced ( I don't remember who told me though, apologies).
>
That may have been me :)
> The big problem here is: not building in Rawhide would complicate
> preparing
> packages quite a bit for us. We could probably find a solution, of course=
,
> but
> I rather not change the existing mechanism for practical reasons.
>
As long as the COPR repository in question is not widely advertised I think
what you're doing is perfectly fine.
From my understanding your repository is only shared among members of your
team and it isn't marked as official so nobody else should be aware of it.
>
> > It would be appreciated if distributions could please review whether it
> is
> > possible that PCLinuxOS obtained the packages via them and ask the
> > PCLinuxOS team to please contact us as it would be preferrable that suc=
h
> > premature leaks/releases did not take place.
> >
>
> I will make sure to bring this up on our (Fedora KDE-SIG) next meeting on
> Monday to talk about it. Any KDE person is more than welcome to join
> (Nate,
> Carl, Aleix join us somehow often :-) )
>
Thanks.
One possibility is that distributions could periodically change the
location where they "stage" the packages before release (by renaming the
repository, creating a new one, etc) to ensure that only those who should
be aware of the correct URL to the repository have it to hand.
Cheers,
Ben
[Attachment #3 (text/html)]
<div dir="ltr"><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Nov 14, 2021 \
at 9:42 AM Marc Deop i Argemà <<a \
href="mailto:marcdeop@fedoraproject.org">marcdeop@fedoraproject.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px \
solid rgb(204,204,204);padding-left:1ex">On Saturday, 13 November 2021 03:49:32 CET Ben \
Cooksley wrote:<br> > Hi all,<br></blockquote><div><br></div><div>Hi Marc,</div><div> \
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> > <br>
> It has recently been brought to my attention that packages of KDE<br>
> Frameworks 5.88.0 have been prematurely released by the distribution<br>
> PCLinuxOS, as visible at <a href="https://repology.org/project/krunner/versions" \
rel="noreferrer" target="_blank">https://repology.org/project/krunner/versions</a><br> > \
<br> <br>
Maybe (hopefully) it was just a mistake? We should contact them and ask. ( I <br>
acknowledge this seems like wishful thinking though).<br>
<br>
> they obtained the packages from someone else (either because they directly<br>
> shared their access, because they shared the packages with PCLinuxOS or<br>
> because PCLinuxOS has discovered the location of source packages for one or<br>
> more distributions).<br>
<br>
As Neal mentioned in another email, some distros already have the packages <br>
prepared and they are publicly available (Fedora, Maegia and possibly others) <br>
although not in their stable releases.<br>
<br>
In particular, we (Fedora KDE-SIG) build the packages in Rawhide (the <br>
development version of Fedora) and we use a COPR( like an Ubuntu PPA) under my <br>
namespace to build packages for early adopters who help us find issues.<br>
<br>
Unfortunately, if somebody wants to gather the sources from those places they <br>
certainly can do so without real blockers.<br>
<br>
If it's a problem, we can stop building in COPR until the release is official. I <br>
asked a few months ago and I was told it was ok to have it as long as it was <br>
not publicly announced ( I don't remember who told me though, \
apologies).<br></blockquote><div><br></div><div>That may have been me :)</div><div> \
<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> <br>
The big problem here is: not building in Rawhide would complicate preparing <br>
packages quite a bit for us. We could probably find a solution, of course, but <br>
I rather not change the existing mechanism for practical \
reasons.<br></blockquote><div><br></div><div>As long as the COPR repository in question is not \
widely advertised I think what you're doing is perfectly fine.</div><div>From my \
understanding your repository is only shared among members of your team and it isn't marked \
as official so nobody else should be aware of it.<br></div><div> </div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> <br>
> It would be appreciated if distributions could please review whether it is<br>
> possible that PCLinuxOS obtained the packages via them and ask the<br>
> PCLinuxOS team to please contact us as it would be preferrable that such<br>
> premature leaks/releases did not take place.<br>
><br>
<br>
I will make sure to bring this up on our (Fedora KDE-SIG) next meeting on <br>
Monday to talk about it. Any KDE person is more than welcome to join (Nate, <br>
Carl, Aleix join us somehow often :-) )<br></blockquote><div><br></div><div>Thanks. \
<br></div><div><br></div><div>One possibility is that distributions could periodically change \
the location where they "stage" the packages before release (by renaming the \
repository, creating a new one, etc) to ensure that only those who should be aware of the \
correct URL to the repository have it to \
hand.</div><div><br></div><div>Cheers,</div><div>Ben<br></div></div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic