Bug 474870

Summary: Maintainer Please Respond
Product: [Fedora] Fedora Reporter: Joel <jdy>
Component: gallery2Assignee: Gwyn Ciesla <gwync>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: low    
Version: 10CC: adrian, gwync, jdy, john, mike, thoger
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-11 19:31:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joel 2008-12-05 17:21:46 UTC 
Description of problem:

There are outstanding bugs against this package including security issues to which you haven't responded in a significant period of time.  Furthermore you haven't responded to private emails.

Additional info:

https://bugzilla.redhat.com/show_bug.cgi?id=462703
https://bugzilla.redhat.com/show_bug.cgi?id=462871
https://bugzilla.redhat.com/show_bug.cgi?id=462872
https://bugzilla.redhat.com/show_bug.cgi?id=471636
https://bugzilla.redhat.com/show_bug.cgi?id=462870
https://bugzilla.redhat.com/show_bug.cgi?id=462883
https://bugzilla.redhat.com/show_bug.cgi?id=462885

Note that many of these bugs have CVE numbers assigned.

Question:  Why hasn't security-response-team escalated this problem as their are outstanding security vulnerabilities?
Comment 1 Michael Cronenworth 2008-12-05 18:09:08 UTC 
I'd like to add the "bugzilla" package to this response request with the following bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=465958
https://bugzilla.redhat.com/show_bug.cgi?id=466077
https://bugzilla.redhat.com/show_bug.cgi?id=474250
Comment 2 Joel 2008-12-05 18:31:47 UTC 
Note that this packager has the following packages listed in koji:

http://koji.fedoraproject.org/koji/userinfo?userID=225

ratpoison:
http://koji.fedoraproject.org/koji/userinfo?userID=225

outstanding bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=473940
https://bugzilla.redhat.com/show_bug.cgi?id=426739
https://bugzilla.redhat.com/show_bug.cgi?id=455084

squidguard:
http://koji.fedoraproject.org/koji/packageinfo?packageID=3866

outstanding bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=452467
https://bugzilla.redhat.com/show_bug.cgi?id=453461
https://bugzilla.redhat.com/show_bug.cgi?id=245377
https://bugzilla.redhat.com/show_bug.cgi?id=247065

wordpress:
http://koji.fedoraproject.org/koji/packageinfo?packageID=4118

Adrian has been keeping this one updated but John does have several security bugs assigned to him:

https://bugzilla.redhat.com/show_bug.cgi?id=421141
https://bugzilla.redhat.com/show_bug.cgi?id=471990
https://bugzilla.redhat.com/show_bug.cgi?id=471991
https://bugzilla.redhat.com/show_bug.cgi?id=471992

bugzilla:
http://koji.fedoraproject.org/koji/packageinfo?packageID=1420

Spot made one rebuild.

bugs assigned:  (Many)
https://bugzilla.redhat.com/show_bug.cgi?id=465958
https://bugzilla.redhat.com/show_bug.cgi?id=465957
https://bugzilla.redhat.com/show_bug.cgi?id=461049
https://bugzilla.redhat.com/show_bug.cgi?id=458848
https://bugzilla.redhat.com/show_bug.cgi?id=471088
etc.
Comment 3 Tomas Hoger 2008-12-09 18:26:24 UTC 
(In reply to comment #0)
> Question:  Why hasn't security-response-team escalated this problem as their
> are outstanding security vulnerabilities?

security-response-team@'s support for Fedora is mostly limited to making sure maintainers get notified about the issues, helping analyse issues and get known / upstream patches.  Actually, it most cases there's little need for us to get involved in real package updating.

(In reply to comment #2)
> wordpress:
> https://bugzilla.redhat.com/show_bug.cgi?id=421141

CVE-2007-6318, looking at the upstream bug, it's not clear whether this issue ever got fixed upstream.

> https://bugzilla.redhat.com/show_bug.cgi?id=471990
> https://bugzilla.redhat.com/show_bug.cgi?id=471991
> https://bugzilla.redhat.com/show_bug.cgi?id=471992

CVE-2008-5113, this is a low impact issue, that requires non-trivial change and the fix should really come upstream.


Given the list, it looks like John is probably busy with his real life and may not have enough time for Fedora.  Have you asked him to orphan some of his packages, or possibly requested co-maintainership?
Comment 4 Gwyn Ciesla 2008-12-09 18:40:06 UTC 
I believe that was the gist of the recent thread on -devel.
Comment 5 Joel 2008-12-15 04:45:40 UTC 
> Have you asked him to orphan some of his
> packages, or possibly requested co-maintainership?

How if he doesn't respond to private emails or bugs?
Comment 6 Joel 2008-12-15 04:51:10 UTC 
Second non-responsive maintainer bug opened at:

https://bugzilla.redhat.com//show_bug.cgi?id=476477
Comment 7 Gwyn Ciesla 2009-01-13 15:28:19 UTC 
I think enough time has elapsed to take this to FESCO.  Joel, you reported, you want to do the honors?

I'll take gallery2 if approved, and would consider others.
Comment 8 Gwyn Ciesla 2009-01-13 15:28:40 UTC 
*** Bug 476477 has been marked as a duplicate of this bug. ***
Comment 9 Joel 2009-01-26 21:09:41 UTC 
Notification to the devel list posted:

https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01757.html

Please orphan and/or release maintainership from John Berninger for all his packages.  Thanks Cry.
Comment 10 Joel 2009-01-26 21:15:47 UTC 
Original post to devel list was:

https://www.redhat.com/archives/fedora-devel-list/2008-December/msg00237.html
Comment 11 John Berninger 2009-02-03 19:09:21 UTC 
Yes, I've been unresponsive - my fault, no excuses.  I've not had time to do anything with Fedora recently and should have realized that sooner.  Anyone who would like to take over my packages is more than welcome to do so, as I don't see my time getting freed up in the near future any more than it has been in the recent past.
Comment 12 Gwyn Ciesla 2009-02-03 19:18:06 UTC 
Can you orphan them in pkgdb, once maintainers volunteer?  

https://admin.fedoraproject.org/pkgdb

I'll take gallery2, and would consider others that you don't have time for and others won't take.
Comment 13 John Berninger 2009-02-03 19:26:34 UTC 
gallery2 and bugzilla have been orphaned - the other big one is wordpress.  squidGuard and ratpoison are (or seem to be) lower-demand packages; anyone that cares to take them can do so.
Comment 14 Fedora Admin XMLRPC Client 2009-02-03 19:29:20 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 15 Kevin Fenzi 2009-02-03 21:56:24 UTC 
I can take ratpoison if no one else wants it. ;)
Comment 16 John Berninger 2009-02-03 22:28:34 UTC 
it's all yours
Comment 17 Joel 2009-02-03 22:44:01 UTC 
Thanks John for stepping up and orphaning the packages.

Even huger thanks for even packaging and pushing these packages (my favs are wordpress and gallery2) into Fedora in the first place.  Totally awesome.

Thanks!

Joel
Comment 18 Gwyn Ciesla 2009-02-04 19:22:45 UTC 
I'll take wordpress if no one else wants it.
Comment 19 Gwyn Ciesla 2009-02-04 19:42:09 UTC 
Adding Adrian.  Adrian, do you want wordpress, or should I take it over.  There's a few security bugs and 2.7 is out.
Comment 20 Adrian Reber 2009-02-04 21:00:55 UTC 
I take wordpress. There is already a bug open for the 2.7 release. I will update it (I am waiting for 2.7.1). Jon, if you want to co-maintain, you are welcome.
Comment 21 Gwyn Ciesla 2009-02-04 21:04:51 UTC 
Excellent.
Comment 22 Michael Cronenworth 2009-02-04 22:12:50 UTC 
Can someone, preferably John Berninger, announce in fedora-devel-list that these packages are being orphaned. At least announce the remaining packages. I'm anxious to see an updated bugzilla package. There's some new features + security updates in the jump from 3.0.4 (fedora) to 3.2.2 (upstream).
Comment 23 Gwyn Ciesla 2009-02-11 19:22:11 UTC 
SquidGuard taken.
Comment 24 Joel 2009-02-11 19:31:29 UTC 
It seems that all of the projects have been adopted.  I think this bug can be closed now.