On Fri, 23 Sep 2005, Eric Rostetter wrote:
I didn't yet update the PUBLISH votes, because the patches need to be
verified, check the requirements at:
http://www.fedoraproject.org/wiki/Legacy/QAPublish
That doesn't explicitely state that I must do so. If each of the things
there *must* be done, then you need to make that more clear, and restate
things that are optional as being optional, and restate what you mean since
it isn't clear.
It should: the first three steps are mandatory. I tried to see if I
could add clarification on this, but apparently I don't have the edit
rights for the page (shouldn't it be more open?)
The latter bullet points are optional (which is mentioned there),
implying (but not saying) that the previous ones are mandatory.
I did diff the files, I did inspect the patch(es). I even *tested* the
patched packages to make sure they fixed the problem. I didn't see
anything unusal when I look at the patched code. I just didn't try to find
the "original source" or "upstream patch" it was based on and compare them.
Since others have already (before me) verified the patches versus the
upstream provider, I think it can be implied that they are valid
in my version since the sha1sum matched for both them and me. If not, the
other person needs to be banished. ;) But I see there is a trust issue here,
so I get why I should have done this step.
The others have only verified the patch on the OS version for which
they gave a PUBLISH vote; the patches could be different -- one could
have a trojan (or just a honest mistake!), while the already QA'd
version doesn't.
If the SHA1sum of the patches (already verified) matches the one at
your OS version (i.e., the identical patch in multiple OS versions),
yes, there is no technical reason to have to verify the patch again.
But for clarity, it should be pointed in the PUBLISH vote message.
In additionl, PUBLISH needs to be done for all distro versions before
the package can be built. Would it be possible to the FC1 review for
a2ps?
No, I don't run FC1.
As you wish, but note that giving PUBLISH votes does not require one
to run the OS version in question. I.e., it is not required to test
the package; just reviewing 1) source integrity, 2) the .spec file,
and 3) the new patches [if they come from an already-QA'd source] is
sufficient.
So, are my PUBLISH votes worth zero votes since I didn't compare the
patch against the upstream publisher's version, dispite all the other
work I did? Or maybe they can at least be a 0.5 vote?
I'm a bit impartial in this because I proposed the packages in the
first place, but I think verifying the patches is essential. Even
thorough testing of the packages may not show problems if the patch is
not (quite) right.
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
--
fedora-legacy-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-legacy-list
