Bug 78497 (pine)

Summary: Please upgrade to version 4.5x
Product: [Retired] Red Hat Linux Reporter: Petri T. Koistinen <thoron>
Component: pineAssignee: Mike A. Harris <mharris>
Status: CLOSED WONTFIX QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 9CC: chris.ricker, menscher, p.van.egdom, ralston, wtogami
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2002-12-27 03:57:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petri T. Koistinen 2002-11-24 16:36:50 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Download source from
ftp://ftp.cac.washington.edu/pine/pine4.50.tar.bz2

Additional info:

Comment 1 Mike A. Harris 2002-11-25 12:25:38 UTC
I've had the new version of pine for about 2 weeks now privately, and it
is not yet stable and reliable enough for inclusion in Red Hat Linux
rawhide, nor for enhancement erratum release in prior releases of
Red Hat Linux.

I monitor pine mailing lists closely, and also monitor the development
of it (as close as one can).  I'll be testing each new version as it
becomes available, ane when the new pine 4.5x series seems fairly
stable and reliable, then I will put it into rawhide likely for
beta testing purposes.

In the mean time, I may make unofficial test packages available on
ftp://people.redhat.com sometime, but no promises.  If, and when I
do that, I will update this enhancement request to notify you and
anyone on the CC.

Thanks.


Comment 2 Petri T. Koistinen 2002-11-26 16:40:45 UTC
BTW, does this affect on Red Hat too:
http://www.suse.com/de/security/2002_046_pine.html


Comment 3 Mike A. Harris 2002-11-26 17:30:40 UTC
Yes, and erratum is being tested for that issue.  Pine 4.50 is not
an acceptable solution for fixing a single small security issue.

If people hound me about pine 4.50, I will not release it at all.

Comment 4 Petri T. Koistinen 2002-11-26 19:07:08 UTC
Sorry, that was not my purpose.

Comment 5 Mike A. Harris 2002-11-27 08:22:47 UTC
Ah, sorry..  I've had several people email me demanding that I
release 4.50 to fix the security issue, and thought you were
suggesting similar.

Pine 4.44 erratum is in the pipe being tested which is patched to
fix this problem.

Comment 6 Mike A. Harris 2002-11-27 14:19:49 UTC
This package is not in rawhide, and as above, I'm not planning on putting it
in rawhide just yet.  I put it up as an unofficial unsupported package
for people who really want to use it/test it, whatever.

Please report all bugs in this release of pine directly to the UW pine
team by following the information on their website, etc:

   Pine Information Center:  http://www.washington.edu/pine
   Newsgroup:  comp.mail.pine
   User mailing list and Bug reports: http://www.washington.edu/pine/pine-info/

The RPMs are downloadable from:

ftp://people.redhat.com/mharris/testing/extremely-unstable-development-code/pine-4.50-1

Enjoy.

Comment 7 Petri T. Koistinen 2002-11-27 20:18:36 UTC
Thank you!

I am dumb enough to test it despite of those serious warnings. ;-)

BTW, these seems to be problem with that URL. I guess
ftp://people.redhat.com/mharris/testing/extremely-unstable-development-code/pine/4.50-1/i386/pine-4.50-1.i386.rpm
is what most people are looking for.

Comment 8 Mike A. Harris 2002-12-27 03:57:51 UTC
I'm closing this for now because I don't feel the need to really track
it in bugzilla.  I've put up pine 4.5x packages above and will update
them as time permits.  There is no plan to include it in the next
release of Red Hat Linux, and I won't put it into the distribution until
I feel that it is truely stable and reliable.  I use pine personally
exclusively, and quite heavily.  I'm now using 4.51 on one of my mail
accounts, and am not impressed so far.

It will likely land in the distro at some point, but no time soon.

Closing this for now as there's no need to track it.

Comment 9 Mike A. Harris 2003-01-15 10:50:16 UTC
*** Bug 81621 has been marked as a duplicate of this bug. ***

Comment 10 Mike A. Harris 2003-01-15 10:59:58 UTC
Update:

Several people are requesting that pine 4.5x (currently 4.52) be added to
the current development of Red Hat Linux.

I am well aware of new pine releases being available, and I am on a private
mailing list for pine development.  Bugs are being reported on that list
in sufficient quantity, that I am simply not willing to update the current
rather stable pine 4.44 version of pine that is in rawhide right now, to
the current official release of pine 4.52, because doing so would lower the
overall quality of pine in Red Hat Linux, and would increase the number of
bugs getting reported.

I have also looked at the pine 4.50 through 4.52 release notes, and I've
compared the new features added with the risks involved of updating the
package.  My decision is a firm decision to ship pine 4.44 in our next
OS release, and I am unable to be convinced otherwise.

I understand completely, how users want the latest and greatest of everything,
and I myself want the latest and greatest of everything also. Sometimes
however, compromises must be made, and things are more important than
the highest version number available.  Stability trumps features, and
pine 4.5x is anything but stable right now.

Being an avid pine user myself, when a new version comes out that I believe
to be fairly stable personally, I will possibly release a pine enhancement
erratum for whatever our current OS release happens to be.  There is no
guarantee of this however.

I'm making this bug report the master dupe for future requests that are
bound to come in also.

Comment 11 Mike A. Harris 2003-01-15 11:00:48 UTC
Updating summary to reflect current version of pine.

Comment 12 Mike A. Harris 2003-01-16 01:50:54 UTC
Updating summary to reflect current version of pine again 2 times in 1 day.

pine 4.53 is now out

Heh, with this frequency of releases, perhaps it will stabilize
in 4 or 5 months time.  ;o)


Comment 13 James Ralston 2003-01-21 01:18:15 UTC
A response of "pine 4.5x isn't stable enough yet" is perfectly reasonable, IMO.

Mike, one question: how often do you apply security fixes to your "extremely
unstable development code" RPMs?

I don't mind running development code (see bug #64218).  But the main reason I
don't like to do so is that there's no easy way to tell when a security
vulnerability has been fixed.

If there's some way I can tell when you apply security fixes to your "extremely
unstable development code" RPMs (e.g., you will always put a note in the
%changelog whenever you smack in a security fix), then I'll cut over to running
those, instead of the hybrid pine RPMs I've built myself...


Comment 14 James Ralston 2003-01-21 01:22:29 UTC
Oops; in my previous comment, I meant to refer to bug #64128, not bug #64218.  Duh.


Comment 15 Mike A. Harris 2003-01-21 02:09:11 UTC
Generally speaking for official distro package updates, whenever a
security issue is fixed in one of my packages, I indicate that it is
a security fix in the RPM spec file changelog except for one
condition:  If a security fix is not public, or can not be disclosed
publically when the fix is added to the package.  Many vulnerabilities
are communicated non publically to Red Hat and other vendors under
conditions which do not permit public disclosure before a certain date.
In those cases, sometimes changelog comments do not contain such
information.

For unstable packages, things get fixed whenever.  Rawhide packages, and
any packages I put up for testing, are not official Red Hat packages and
are not officially supported with security fixes and whatnot.  So if they
contain security problems, there is no guideline of when (or if) they will
be fixed.  Do not rely on rawhide or non-official Red Hat packages to
contain security updates.

That said, the pine in rawhide right now fixes all known security
holes in pine at the time of this writing.

Comment 16 Petri T. Koistinen 2003-04-06 02:04:37 UTC
BTW, Red Hat Linux 9 release notes says that pine is deprecated and may be
removed from a future release of Red Hat Linux because of "License-related
issues". What are these issues and is there any possibility that these issues
are solved?

Comment 17 Mike A. Harris 2003-04-06 02:55:35 UTC
That is correct, pine is present in Red Hat Linux 9 (pine 4.44), and we
have deprecated it with the likelyhood that it will be removed from a
future release.  Users who wish to continue using pine once that occurs,
can either install pine packages from an older release of Red Hat Linux,
or can download pine from somewhere on the Internet and use that.

Alternatively, users also have the option of migrating to a different
mail client.  There are numerous mail clients in the distribution so I
wont make any suggestions as people are free to explore the various
alternatives on their own, and choose one that best meets their needs
if they do not want to download pine separately.

>What are these issues and is there any possibility that these issues
>are solved?

While the RELEASE-NOTES do state "License related issues", that is only
one particular aspect of the issues with pine.  The various issues that
exist with pine are not solved, and due to the nature of them, they are
not likely to be solved any time soon either.

I will not list these issues here, nor will I engage in discussion about
pine in bugzilla, as this is not an appropriate place to stimulate
discussion of such topic.

The bottom line is that pine will be removed from a future release of
Red Hat Linux, and users should either plan on migrating to other
software which is included with the distribution still at that point
in time, or they should plan ahead on downloading pine separately
themselves.


Comment 18 Mike A. Harris 2003-05-20 07:46:32 UTC
Update: pine has now been officially removed from Red Hat Linux in rawhide
currently and will not be included in future products.  It is also fairly
unlikely that we will issue any official pine updates beyond 4.44 in
currently supported Red Hat OS products.

Just providing this information here for completeness.