issues list(s)

Sat Sep 24 09:21:55 UTC 2005

On Fri, 23 Sep 2005, Eric Rostetter wrote:
>> I didn't yet update the PUBLISH votes, because the patches need to be
>> verified, check the requirements at:
>>
>> http://www.fedoraproject.org/wiki/Legacy/QAPublish
>
> That doesn't explicitely state that I must do so.  If each of the things
> there *must* be done, then you need to make that more clear, and restate
> things that are optional as being optional, and restate what you mean since
> it isn't clear.

It should: the first three steps are mandatory.  I tried to see if I 
could add clarification on this, but apparently I don't have the edit 
rights for the page (shouldn't it be more open?)

The latter bullet points are optional (which is mentioned there), 
implying (but not saying) that the previous ones are mandatory.

> I did diff the files, I did inspect the patch(es).  I even *tested* the
> patched packages to make sure they fixed the problem.  I didn't see
> anything unusal when I look at the patched code.  I just didn't try to find
> the "original source" or "upstream patch" it was based on and compare them.
>
> Since others have already (before me) verified the patches versus the
> upstream provider, I think it can be implied that they are valid
> in my version since the sha1sum matched for both them and me.  If not, the
> other person needs to be banished. ;)  But I see there is a trust issue here,
> so I get why I should have done this step.

The others have only verified the patch on the OS version for which 
they gave a PUBLISH vote; the patches could be different -- one could 
have a trojan (or just a honest mistake!), while the already QA'd 
version doesn't.

If the SHA1sum of the patches (already verified) matches the one at 
your OS version (i.e., the identical patch in multiple OS versions), 
yes, there is no technical reason to have to verify the patch again. 
But for clarity, it should be pointed in the PUBLISH vote message.

>> In additionl, PUBLISH needs to be done for all distro versions before
>> the package can be built.  Would it be possible to the FC1 review for
>> a2ps?
>
> No, I don't run FC1.

As you wish, but note that giving PUBLISH votes does not require one 
to run the OS version in question.  I.e., it is not required to test 
the package; just reviewing 1) source integrity, 2) the .spec file, 
and 3) the new patches [if they come from an already-QA'd source] is 
sufficient.

> So, are my PUBLISH votes worth zero votes since I didn't compare the
> patch against the upstream publisher's version, dispite all the other
> work I did?  Or maybe they can at least be a 0.5 vote?

I'm a bit impartial in this because I proposed the packages in the 
first place, but I think verifying the patches is essential.  Even 
thorough testing of the packages may not show problems if the patch is 
not (quite) right.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings