Bug 1209124 - Non responsive maintainer - Michael Stahnke
Summary: Non responsive maintainer - Michael Stahnke
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: rubygem-activesupport
Version: 23
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Mo Morsi
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 731451 905374 917234 917237 1095129
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-04-06 10:45 UTC by pjp
Modified: 2016-12-20 13:29 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-20 13:29:10 UTC


Attachments (Terms of Use)

Description pjp 2015-04-06 10:45:55 UTC
This bug is filed adhering to Fedora's non-responsive maintainer policy.[1]
Michael Stahnke[1], a Fedora EPEL maintainer for the 'rubygem-activesupport', package, has not been responding to critical security issues in the said package for over an year now. Pending issues are

BZ#905374  CVE-2013-0333 epel6  critical   Reported: 2013-01-29
BZ#1095129 CVE-2014-0130 epel6  important  Reported: 2014-05-07
BZ#731451  CVE-2011-2932 epel6  moderate   Reported: 2011-08-17

@Michael: please respond within 7 days, so as to thwart further policy action.

Thank you.
--
[1] https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers
[2] https://fedoraproject.org/wiki/User:Stahnma

Comment 1 Mo Morsi 2015-04-09 20:43:25 UTC
Hey stahnma were you still interested in maintaining the EPEL rails build? If you were and this is a matter of cycles I can start looking into what it'd take to update EPEL to the latest rails release until you had the time to get back to this (so that no further action would be taken on the Fedora front).

Feel free to get back to me here or via private communications.

Comment 2 pjp 2015-04-14 07:25:40 UTC
Reminder #1
-----------

Hello Michael,

Any updates on #c1 above? Please let us know if you still plan to maintain the 'rubygem-activesupport' package for the EPEL branch.

Thank you.

Comment 3 pjp 2015-04-20 06:17:08 UTC
Reminder #2
-----------

Hello Michael,

Any updates on #c1 above? Please let us know if you still plan to maintain the 'rubygem-activesupport' package for the EPEL branch. By next week, we'd be forced to start the takeover process.[1]

Thank you.
--
[1] https://fedoraproject.org/wiki/Policy_for_nonresponsive_package_maintainers

Comment 4 Michael Stahnke 2015-04-20 16:21:49 UTC
I am not going to have time to fix up these bugs in the near future on EL6. I actually don't use this package on el6 any longer. I welcome any co-maintainers.

Comment 5 pjp 2015-04-20 16:50:01 UTC
(In reply to Michael Stahnke from comment #4)
> I am not going to have time to fix up these bugs in the near future on EL6.
> I actually don't use this package on el6 any longer. I welcome any
> co-maintainers.

  Okay, thanks so much for the update.

Comment 6 pjp 2015-04-20 17:24:51 UTC
  Hello Mo,

Would you like to take over the EPEL branch from Michael? Another option is to send a request on the -devel list.

Thank you.

Comment 7 Mo Morsi 2015-04-21 14:58:42 UTC
Yes I'll start looking into what is needed to update the rails stack in epel in the upcoming weeks.

Comment 8 pjp 2015-04-21 17:38:15 UTC
  Hello Mo,

(In reply to Mo Morsi from comment #7)
> Yes I'll start looking into what is needed to update the rails stack in epel
> in the upcoming weeks.

  Great! Thank you so much Mo. :)

I've linked above 3 bugs to this one, will close this once EPEL builds are pushed.

Thank you.

Comment 9 pjp 2015-05-05 11:30:56 UTC
Couple of other packages maintained by Michael have these pending issues

  CVE-2013-1802 -> https://bugzilla.redhat.com/show_bug.cgi?id=917234
  CVE-2013-1800 -> https://bugzilla.redhat.com/show_bug.cgi?id=917237

I'd pinged Michael via email last week, but no response from him yet.

Comment 10 pjp 2015-05-05 11:34:07 UTC
@Mo: would it be possible for you to take look at above two issues?

Comment 11 Mo Morsi 2015-05-05 12:43:49 UTC
Will add them to the list but can't commit to those atm, the rails update will prolly take some time. It looks like rubygem-crack is a dependency of webmock & inode, it'd be a shame to lose those in epel.

http://www.isitfedoraruby.com/fedorarpms/rubygem-crack/full_deps

Comment 12 pjp 2015-05-05 17:45:07 UTC
  Hello Mo,

(In reply to Mo Morsi from comment #11)
> Will add them to the list but can't commit to those atm,

  Thank you so much! I appreciate it.

> the rails update will prolly take some time. It looks like rubygem-crack
> is a dependency of webmock & inode, it'd be a shame to lose those in epel.
> 
> http://www.isitfedoraruby.com/fedorarpms/rubygem-crack/full_deps

  True. Would it be possible for you to co-maintain it for EPEL? If not, maybe we could try -devel list if someone is willing to become a maintainer for them.

Thank you.

Comment 13 pjp 2015-05-27 05:53:12 UTC
  Hello Mo,

(In reply to Mo Morsi from comment #11)
> Will add them to the list but can't commit to those atm, the rails update
> will prolly take some time. It looks like rubygem-crack is a dependency of
> webmock & inode, it'd be a shame to lose those in epel.
> 
> http://www.isitfedoraruby.com/fedorarpms/rubygem-crack/full_deps

  Did you have chance to process these issues further? (just checking)

Also, about the co-maintaining these packages for EPEL, would it be possible for you to maintain them?

Thank you.

Comment 14 pjp 2015-06-11 14:13:50 UTC
Hello Mo,

Did you have chance to work on these issues, any update please?

Thank you.

Comment 15 Mo Morsi 2015-06-11 21:02:54 UTC
pjp, eric sorry for belated response. I wrote a small script to compare upstream gem versions & dependencies w/ those in Fedora and display them in a hierarchical tree manner:

https://github.com/ManageIQ/polisher/blob/master/bin/gem_mapper.rb

For the latest upstream rails release (4.2.1) the following would need to be updated / included in epel7:

rails 4.2.1 
actionmailer 4.2.1 
actionpack 4.2.1 
activesupport 4.2.1 
tzinfo 1.2.2 
rack-test 0.6.3 
rails-html-sanitizer 1.0.2 
loofah 2.0.2 
rails-dom-testing 1.0.6 
rails-deprecated_sanitizer 1.0.3 
actionview 4.2.1 
activejob 4.2.1 
globalid 0.3.5 
mail 2.6.3 
activemodel 4.2.1 
activerecord 4.2.1 
railties 4.2.1 
sprockets-rails 3.0.0.beta1 
sprockets 2.12.3 

Note these do not include devel deps. These will most likely entail additional updates.

Using the gem_dependency_checker, I extracted the following builds from other fedora branches:

https://github.com/ManageIQ/polisher/blob/master/bin/gem_dependency_checker.rb

$ ruby -Ilib ./bin/gem_dependency_checker.rb --gem rails  -k
rails  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
actionmailer  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
actionpack  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
actionview  koji: 4.1.5, 4.1.4, 4.1.1
activesupport  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
i18n  koji: 0.6.11, 0.6.9, 0.6.4, 0.6.1, 0.6.0
json  koji: 1.7.7, 1.6.8, 1.6.5
minitest  koji: 5.3.1, 4.7.0, 2.10.1
thread_safe  koji: 0.3.3, 0.1.3, 0.1.2
tzinfo  koji: 1.2.2, 1.1.0, 0.3.37, 0.3.35, 0.3.30
builder  koji: 3.2.2, 3.1.4, 3.0.0
erubis  koji: 2.7.0
rails-dom-testing  koji
nokogiri  koji: 1.6.4.1, 1.6.3.1, 1.6.6.2, 1.6.5, 1.6.2.1, 1.6.1, 1.6.0, 1.5.9, 1.5.11, 1.5.6, 1.5.5
mini_portile  koji: 0.6.1, 0.6.0, 0.6.2, 0.5.3, 0.5.2, 0.5.1
rails-deprecated_sanitizer  koji
rails-html-sanitizer  koji
loofah  koji: 2.0.0, 1.2.1
rack  koji: 1.5.2, 1.4.5, 1.4.0
rack-test  koji: 0.6.2, 0.6.1
activejob  koji
globalid  koji
mail  koji: 2.5.4, 2.5.3, 2.4.4
mime-types  koji: 1.25.1, 1.19, 1.16
activemodel  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
activerecord  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
arel  koji: 5.0.0, 4.0.0, 3.0.2
bundler  koji: 1.7.3, 1.5.2, 1.7.6, 1.3.5, 1.3.1, 1.1.4
railties  koji: 4.1.5, 4.1.4, 4.1.1, 4.0.0, 3.2.13, 3.2.8
rake  koji: 10.0.4, 0.9.6, 0.9.2.2
thor  koji: 0.18.1, 0.17.0, 0.14.6
sprockets-rails  koji: 2.1.3, 2.0.1, 2.0.0
sprockets  koji: 2.12.1, 2.8.2, 2.4.5

I can start looking into updating some of the more simpler deps in the near future. Obviously the entire list will take some time but it should go quicker with some assistance...

Comment 16 pjp 2015-06-12 04:05:42 UTC
  Hello Mo,

(In reply to Mo Morsi from comment #15)
> I wrote a small script to compare
> upstream gem versions & dependencies w/ those in Fedora and display them in
> a hierarchical tree manner:
> 
> https://github.com/ManageIQ/polisher/blob/master/bin/gem_mapper.rb
> 
> For the latest upstream rails release (4.2.1) the following would need to be
> updated / included in epel7:
> 
...
> 
> Note these do not include devel deps. These will most likely entail
> additional updates.
> 
> Using the gem_dependency_checker, I extracted the following builds from
> other fedora branches:
> 
> https://github.com/ManageIQ/polisher/blob/master/bin/gem_dependency_checker.
> rb
> 

  That is an extensive list of packages to be updated. But it does not seem to include rubygem-extlib and rubygem-crack packages, which have the long standing bugs(linked here) open.  OR  Is it that to update extlib & rubygem-crack packages, we have to update the aforementioned list first?

> I can start looking into updating some of the more simpler deps in the near
> future. Obviously the entire list will take some time but it should go
> quicker with some assistance...

   IMO it's preferable to close the long standing security updates first, and then move to the bug fix and feature updates. Surely you'll need help with updating so many packages. Is there a fedora-ruby list or SIG wherein we could look for help? Let's see if we could find some help there.

Thank you.

Comment 17 Mo Morsi 2015-06-12 15:44:38 UTC
(In reply to pjp from comment #16)
>   That is an extensive list of packages to be updated. But it does not seem
> to include rubygem-extlib and rubygem-crack packages, which have the long
> standing bugs(linked here) open.  OR  Is it that to update extlib &
> rubygem-crack packages, we have to update the aforementioned list first?

Yes the list is extensive. The complete list with dev deps can be found here:

https://mmorsi.fedorapeople.org/missing_deps_output

Granted many deps on the list (particularily dev & testing ones) are duplicates / not necessary. I'll start looking at consolidating this list in the near future.



> 
> > I can start looking into updating some of the more simpler deps in the near
> > future. Obviously the entire list will take some time but it should go
> > quicker with some assistance...
> 
>    IMO it's preferable to close the long standing security updates first,
> and then move to the bug fix and feature updates. Surely you'll need help
> with updating so many packages. Is there a fedora-ruby list or SIG wherein
> we could look for help? Let's see if we could find some help there.
> 
> Thank you.

I've just requested access for rubygem-crack and extlib, will update to the latest upstream version on the requested branches when I have access.

Sent the info pertaining to the rails update to the ruby-sig, and will keep that updated on progress.

https://lists.fedoraproject.org/pipermail/ruby-sig/2015-June/001787.html

Comment 18 pjp 2015-06-15 07:32:00 UTC
Hello Mo,

(In reply to Mo Morsi from comment #17)
> I've just requested access for rubygem-crack and extlib, will update to the
> latest upstream version on the requested branches when I have access.

  Sent an email to Michael about the same, let's hope it grants access soon.

> Sent the info pertaining to the rails update to the ruby-sig, and will keep
> that updated on progress.
> 
> https://lists.fedoraproject.org/pipermail/ruby-sig/2015-June/001787.html

  That's great! Thank you so much for an update, I appreciate it. Let me know if I could help with anything.

Thank you.

Comment 19 pjp 2015-06-15 07:35:02 UTC
(In reply to pjp from comment #18)
>   Sent an email to Michael about the same, let's hope it grants access soon.

   Sorry, he(not it) grants access soon. ;)

Comment 20 pjp 2015-06-15 10:53:46 UTC
Hello Mo,

I sent your ruby-sig message to a student's list that I'm part of. One of the student from there is interested to work with you on updating Rails packages in EPEL. I've sent you an email about the same; Hope it works out well.

Thank you.

Comment 21 Mo Morsi 2015-06-15 17:45:54 UTC
Awesome, thanks. Will continue via email

Comment 22 pjp 2015-07-07 13:46:14 UTC
  Hello Mo,

Of the dependent bugs linked here, couple are closed and updates have been pushed for the rubygem-extlib issue.

   #731451 rubygem-activesupport: XSS vulnerability in escaping function
   #917237 Ruby Gem crack: YAML parameter parsing vulnerability

Did you have chance to see the these two?  (just checking)

Thank you. :)

Comment 23 Mo Morsi 2015-07-07 14:30:51 UTC
The rubygem-crack update is in progress, am having difficulties building against the 3 epel platforms. EL7 / EL6 are currently working so may just update those & retire EL5.

activesupport will be taken care of w/ the larger epel rails update which still has a ways togo.

Comment 24 pjp 2015-07-08 10:47:39 UTC
(In reply to Mo Morsi from comment #23)
> The rubygem-crack update is in progress, am having difficulties building
> against the 3 epel platforms. EL7 / EL6 are currently working so may just
> update those & retire EL5.

  Yes, that will be good.

> activesupport will be taken care of w/ the larger epel rails update which
> still has a ways togo.

  I see, okay.

Thanks so much for an update.

Comment 25 Mo Morsi 2015-07-12 16:51:39 UTC
Updated rubygem-crack on epel6, requested admin access so as to retire on epel5.

Will look more into the rails update this week.

Comment 26 Jan Kurik 2015-07-15 14:19:02 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

Comment 27 pjp 2015-07-16 08:37:57 UTC
(In reply to Mo Morsi from comment #25)
> Updated rubygem-crack on epel6, requested admin access so as to retire on
> epel5.
> 
> Will look more into the rails update this week.

  Cool!

Thank you for an update.

Comment 28 pjp 2016-08-26 05:28:23 UTC
Hello MO,

Are you working on this one ? It's been long, it needs a closure.

Thank you.

Comment 29 Mo Morsi 2016-08-30 17:21:50 UTC
Hi pjp, I hadn't worked on this in a while, and will be sidelining work on rails / epel for the foreseeable future due to other priorities.

rubygem-crack has been retired on EL 5/6, though both rubygem-crack and rubygem-rails have been updated on EL7.

Comment 30 Fedora End Of Life 2016-11-24 11:39:17 UTC
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 31 Fedora End Of Life 2016-12-20 13:29:10 UTC
Fedora 23 changed to end-of-life (EOL) status on 2016-12-20. Fedora 23 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.