Description of problem: There are outstanding bugs against this package including security issues to which you haven't responded in a significant period of time. Furthermore you haven't responded to private emails. Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=462703 https://bugzilla.redhat.com/show_bug.cgi?id=462871 https://bugzilla.redhat.com/show_bug.cgi?id=462872 https://bugzilla.redhat.com/show_bug.cgi?id=471636 https://bugzilla.redhat.com/show_bug.cgi?id=462870 https://bugzilla.redhat.com/show_bug.cgi?id=462883 https://bugzilla.redhat.com/show_bug.cgi?id=462885 Note that many of these bugs have CVE numbers assigned. Question: Why hasn't security-response-team escalated this problem as their are outstanding security vulnerabilities?
I'd like to add the "bugzilla" package to this response request with the following bugs: https://bugzilla.redhat.com/show_bug.cgi?id=465958 https://bugzilla.redhat.com/show_bug.cgi?id=466077 https://bugzilla.redhat.com/show_bug.cgi?id=474250
Note that this packager has the following packages listed in koji: http://koji.fedoraproject.org/koji/userinfo?userID=225 ratpoison: http://koji.fedoraproject.org/koji/userinfo?userID=225 outstanding bugs: https://bugzilla.redhat.com/show_bug.cgi?id=473940 https://bugzilla.redhat.com/show_bug.cgi?id=426739 https://bugzilla.redhat.com/show_bug.cgi?id=455084 squidguard: http://koji.fedoraproject.org/koji/packageinfo?packageID=3866 outstanding bugs: https://bugzilla.redhat.com/show_bug.cgi?id=452467 https://bugzilla.redhat.com/show_bug.cgi?id=453461 https://bugzilla.redhat.com/show_bug.cgi?id=245377 https://bugzilla.redhat.com/show_bug.cgi?id=247065 wordpress: http://koji.fedoraproject.org/koji/packageinfo?packageID=4118 Adrian has been keeping this one updated but John does have several security bugs assigned to him: https://bugzilla.redhat.com/show_bug.cgi?id=421141 https://bugzilla.redhat.com/show_bug.cgi?id=471990 https://bugzilla.redhat.com/show_bug.cgi?id=471991 https://bugzilla.redhat.com/show_bug.cgi?id=471992 bugzilla: http://koji.fedoraproject.org/koji/packageinfo?packageID=1420 Spot made one rebuild. bugs assigned: (Many) https://bugzilla.redhat.com/show_bug.cgi?id=465958 https://bugzilla.redhat.com/show_bug.cgi?id=465957 https://bugzilla.redhat.com/show_bug.cgi?id=461049 https://bugzilla.redhat.com/show_bug.cgi?id=458848 https://bugzilla.redhat.com/show_bug.cgi?id=471088 etc.
(In reply to comment #0) > Question: Why hasn't security-response-team escalated this problem as their > are outstanding security vulnerabilities? security-response-team@'s support for Fedora is mostly limited to making sure maintainers get notified about the issues, helping analyse issues and get known / upstream patches. Actually, it most cases there's little need for us to get involved in real package updating. (In reply to comment #2) > wordpress: > https://bugzilla.redhat.com/show_bug.cgi?id=421141 CVE-2007-6318, looking at the upstream bug, it's not clear whether this issue ever got fixed upstream. > https://bugzilla.redhat.com/show_bug.cgi?id=471990 > https://bugzilla.redhat.com/show_bug.cgi?id=471991 > https://bugzilla.redhat.com/show_bug.cgi?id=471992 CVE-2008-5113, this is a low impact issue, that requires non-trivial change and the fix should really come upstream. Given the list, it looks like John is probably busy with his real life and may not have enough time for Fedora. Have you asked him to orphan some of his packages, or possibly requested co-maintainership?
I believe that was the gist of the recent thread on -devel.
> Have you asked him to orphan some of his > packages, or possibly requested co-maintainership? How if he doesn't respond to private emails or bugs?
Second non-responsive maintainer bug opened at: https://bugzilla.redhat.com//show_bug.cgi?id=476477
I think enough time has elapsed to take this to FESCO. Joel, you reported, you want to do the honors? I'll take gallery2 if approved, and would consider others.
*** Bug 476477 has been marked as a duplicate of this bug. ***
Notification to the devel list posted: https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01757.html Please orphan and/or release maintainership from John Berninger for all his packages. Thanks Cry.
Original post to devel list was: https://www.redhat.com/archives/fedora-devel-list/2008-December/msg00237.html
Yes, I've been unresponsive - my fault, no excuses. I've not had time to do anything with Fedora recently and should have realized that sooner. Anyone who would like to take over my packages is more than welcome to do so, as I don't see my time getting freed up in the near future any more than it has been in the recent past.
Can you orphan them in pkgdb, once maintainers volunteer? https://admin.fedoraproject.org/pkgdb I'll take gallery2, and would consider others that you don't have time for and others won't take.
gallery2 and bugzilla have been orphaned - the other big one is wordpress. squidGuard and ratpoison are (or seem to be) lower-demand packages; anyone that cares to take them can do so.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
I can take ratpoison if no one else wants it. ;)
it's all yours
Thanks John for stepping up and orphaning the packages. Even huger thanks for even packaging and pushing these packages (my favs are wordpress and gallery2) into Fedora in the first place. Totally awesome. Thanks! Joel
I'll take wordpress if no one else wants it.
Adding Adrian. Adrian, do you want wordpress, or should I take it over. There's a few security bugs and 2.7 is out.
I take wordpress. There is already a bug open for the 2.7 release. I will update it (I am waiting for 2.7.1). Jon, if you want to co-maintain, you are welcome.
Excellent.
Can someone, preferably John Berninger, announce in fedora-devel-list that these packages are being orphaned. At least announce the remaining packages. I'm anxious to see an updated bugzilla package. There's some new features + security updates in the jump from 3.0.4 (fedora) to 3.2.2 (upstream).
SquidGuard taken.
It seems that all of the projects have been adopted. I think this bug can be closed now.