Bug 474870 - Maintainer Please Respond
Summary: Maintainer Please Respond
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: gallery2
Version: 10
Hardware: All
OS: Linux
low
urgent
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 476477 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-05 17:21 UTC by Joel
Modified: 2009-02-11 19:31 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-02-11 19:31:29 UTC


Attachments (Terms of Use)

Description Joel 2008-12-05 17:21:46 UTC
Description of problem:

There are outstanding bugs against this package including security issues to which you haven't responded in a significant period of time.  Furthermore you haven't responded to private emails.

Additional info:

https://bugzilla.redhat.com/show_bug.cgi?id=462703
https://bugzilla.redhat.com/show_bug.cgi?id=462871
https://bugzilla.redhat.com/show_bug.cgi?id=462872
https://bugzilla.redhat.com/show_bug.cgi?id=471636
https://bugzilla.redhat.com/show_bug.cgi?id=462870
https://bugzilla.redhat.com/show_bug.cgi?id=462883
https://bugzilla.redhat.com/show_bug.cgi?id=462885

Note that many of these bugs have CVE numbers assigned.

Question:  Why hasn't security-response-team escalated this problem as their are outstanding security vulnerabilities?

Comment 1 Michael Cronenworth 2008-12-05 18:09:08 UTC
I'd like to add the "bugzilla" package to this response request with the following bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=465958
https://bugzilla.redhat.com/show_bug.cgi?id=466077
https://bugzilla.redhat.com/show_bug.cgi?id=474250

Comment 3 Tomas Hoger 2008-12-09 18:26:24 UTC
(In reply to comment #0)
> Question:  Why hasn't security-response-team escalated this problem as their
> are outstanding security vulnerabilities?

security-response-team@'s support for Fedora is mostly limited to making sure maintainers get notified about the issues, helping analyse issues and get known / upstream patches.  Actually, it most cases there's little need for us to get involved in real package updating.

(In reply to comment #2)
> wordpress:
> https://bugzilla.redhat.com/show_bug.cgi?id=421141

CVE-2007-6318, looking at the upstream bug, it's not clear whether this issue ever got fixed upstream.

> https://bugzilla.redhat.com/show_bug.cgi?id=471990
> https://bugzilla.redhat.com/show_bug.cgi?id=471991
> https://bugzilla.redhat.com/show_bug.cgi?id=471992

CVE-2008-5113, this is a low impact issue, that requires non-trivial change and the fix should really come upstream.


Given the list, it looks like John is probably busy with his real life and may not have enough time for Fedora.  Have you asked him to orphan some of his packages, or possibly requested co-maintainership?

Comment 4 Gwyn Ciesla 2008-12-09 18:40:06 UTC
I believe that was the gist of the recent thread on -devel.

Comment 5 Joel 2008-12-15 04:45:40 UTC
> Have you asked him to orphan some of his
> packages, or possibly requested co-maintainership?

How if he doesn't respond to private emails or bugs?

Comment 6 Joel 2008-12-15 04:51:10 UTC
Second non-responsive maintainer bug opened at:

https://bugzilla.redhat.com//show_bug.cgi?id=476477

Comment 7 Gwyn Ciesla 2009-01-13 15:28:19 UTC
I think enough time has elapsed to take this to FESCO.  Joel, you reported, you want to do the honors?

I'll take gallery2 if approved, and would consider others.

Comment 8 Gwyn Ciesla 2009-01-13 15:28:40 UTC
*** Bug 476477 has been marked as a duplicate of this bug. ***

Comment 9 Joel 2009-01-26 21:09:41 UTC
Notification to the devel list posted:

https://www.redhat.com/archives/fedora-devel-list/2009-January/msg01757.html

Please orphan and/or release maintainership from John Berninger for all his packages.  Thanks Cry.

Comment 10 Joel 2009-01-26 21:15:47 UTC
Original post to devel list was:

https://www.redhat.com/archives/fedora-devel-list/2008-December/msg00237.html

Comment 11 John Berninger 2009-02-03 19:09:21 UTC
Yes, I've been unresponsive - my fault, no excuses.  I've not had time to do anything with Fedora recently and should have realized that sooner.  Anyone who would like to take over my packages is more than welcome to do so, as I don't see my time getting freed up in the near future any more than it has been in the recent past.

Comment 12 Gwyn Ciesla 2009-02-03 19:18:06 UTC
Can you orphan them in pkgdb, once maintainers volunteer?  

https://admin.fedoraproject.org/pkgdb

I'll take gallery2, and would consider others that you don't have time for and others won't take.

Comment 13 John Berninger 2009-02-03 19:26:34 UTC
gallery2 and bugzilla have been orphaned - the other big one is wordpress.  squidGuard and ratpoison are (or seem to be) lower-demand packages; anyone that cares to take them can do so.

Comment 14 Fedora Admin XMLRPC Client 2009-02-03 19:29:20 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 15 Kevin Fenzi 2009-02-03 21:56:24 UTC
I can take ratpoison if no one else wants it. ;)

Comment 16 John Berninger 2009-02-03 22:28:34 UTC
it's all yours

Comment 17 Joel 2009-02-03 22:44:01 UTC
Thanks John for stepping up and orphaning the packages.

Even huger thanks for even packaging and pushing these packages (my favs are wordpress and gallery2) into Fedora in the first place.  Totally awesome.

Thanks!

Joel

Comment 18 Gwyn Ciesla 2009-02-04 19:22:45 UTC
I'll take wordpress if no one else wants it.

Comment 19 Gwyn Ciesla 2009-02-04 19:42:09 UTC
Adding Adrian.  Adrian, do you want wordpress, or should I take it over.  There's a few security bugs and 2.7 is out.

Comment 20 Adrian Reber 2009-02-04 21:00:55 UTC
I take wordpress. There is already a bug open for the 2.7 release. I will update it (I am waiting for 2.7.1). Jon, if you want to co-maintain, you are welcome.

Comment 21 Gwyn Ciesla 2009-02-04 21:04:51 UTC
Excellent.

Comment 22 Michael Cronenworth 2009-02-04 22:12:50 UTC
Can someone, preferably John Berninger, announce in fedora-devel-list that these packages are being orphaned. At least announce the remaining packages. I'm anxious to see an updated bugzilla package. There's some new features + security updates in the jump from 3.0.4 (fedora) to 3.2.2 (upstream).

Comment 23 Gwyn Ciesla 2009-02-11 19:22:11 UTC
SquidGuard taken.

Comment 24 Joel 2009-02-11 19:31:29 UTC
It seems that all of the projects have been adopted.  I think this bug can be closed now.


Note You need to log in before you can comment on or make changes to this bug.