Michael Schwendt <mschwendt@xxxxxxxxx> writes: > On Fri, 31 Jan 2020 at 18:11, Robbie Harwood <rharwood@xxxxxxxxxx> wrote: >> >> I could have also needinfo(Michael) (and in hindsight I probably >> should have), but based on their reaction, I don't think they would >> have been any happier with that. > > I would have preferred private email over assigning multiple tickets > to me and causing bugzilla spam for all the ticket changes including > (!) multiple needinfo inquiries. You received a total of between 4 and 8 emails depending on how bugzilla batched them. My apologies for the extra 3-7. >> Andreas Bierfert (awjb), who was recently declared non-responsive. > > That could have been mentioned. Is that when some process transferred > EPEL packages to me without prior asking? I did mention it. My words were that "the maintainer is no longer active in Fedora, and you're the default assignee for the package". Your response, by the way, was: "Would you mind becoming familiar with the Fedora Project a bit?". >> My view is that there's an open security bug, so it's reasonable to want >> to know whether it's going to be fixed. > > You consider it reasonable to look into ancient security issues after > almost five years? The related tracking bugs did serve no purpose for > almost five years? Yes? This shouldn't come as a surprise to you. The whole process of security bugs, CVEs, and the like exists to get them *fixed*. If they are in fact not, you might not care about EPEL, but EPEL doesn't want to ship vulnerable software any more than you do. >> Someone responsible for another branch of the package should be able >> to check trivially - and is indeed the best person to ask, since >> they're the most locally knowledgeable. > > As I've pointed out in private email, with proper reporting and > tracking of those CVEs, the CVE ids would be mentioned in the spec > %changelog of the Fedora package, where typically a much newer version > is packaged. If none of those security issues has been reported for > Fedora, it should be safe to assume that the Fedora packages have not > been deemed vulnerable. You are repeatedly ignoring that I'm not concerned about the Fedora package. Please stop. You are subject mater expert for the project. No one is better suited than you to answer the question of whether a given version is affected or not. >> In communication with Michael, I did explain that if no one was >> responsible for these branches, they should retire the branches. >> Michael's view in that discussion seemed to be that the problem was >> one I had created, and therefore one I should fix. (Michael can >> retire the branches while I, an unrelated contributor without >> ProvenPackager, cannot.) > > As pointed out, I don't keep an eye on EPEL. I'm completely surprised > that all of a sudden I am expected to look into EPEL packaging > matters. I still don't understand why I have become the assignee of > EPEL tickets and possibly EPEL packages, too, when I never asked for > that. I mentioned that in my emails, and people have repeatedly explained it to you here too. I *also* mentioned in my email that if no one is responsible for them to your knowledge, the proper thing to do was to remove the branches, and provided you information on how to do so. This isn't a silo. We're supposed to be working together, and helping each other. Your responses of refusing to even consider answering questions about EPEL, replete condescension, and refusal to actually read what I (and others) have been saying continues to make this difficult. Please stop. Thanks, --Robbie
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx