Hello,
I recently noticed that Thunderbird updates are missing from CentOS 5.
First, I noticed that Thunderbird 2.0.0.19 is available in the "updates" repo of CentOS 5.2, but not on the "updates" repo of CentOS 5.3. The version in the "os" repo of CentOS 5.3 is 2.0.0.18.
- Thunderbird 2.0.0.19 in CentOS 5.2 updates repo: http://mirror.centos.org/centos/5.2/updates/i386/RPMS/thunderbird-2.0.0.19-1...
- Thunderbird 2.0.0.18 in CentOS 5.3 os repo: http://mirror.centos.org/centos/5.3/os/i386/CentOS/thunderbird-2.0.0.18-1.el...
- No Thunderbird in CentOS 5.3 updates repo: http://mirror.centos.org/centos/5.3/updates/i386/RPMS/
Then I went upstream to confirm which versions were available there. To my surprise, I found out that there is a src rpm for Thunderbird 2.0.0.21 that dates from March 22.
- Thunderbird 2.0.0.21 SRPM in RHEL 5Client: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/thunderbird-2.0.0.21-1.el5.src.rpm
CentOS Developers, could you please build the RPMs for the latest version 2.0.0.21, and investigate why the issue with 2.0.0.19 not being present in the "updates" repo 5.3 happened, and why the new package 2.0.0.21 was not rebuilt even though it dates from more than one month ago?
Thanks! Filipe
On Fri, May 8, 2009 at 7:35 PM, Filipe Brandenburger filbranden@gmail.com wrote:
CentOS Developers, could you please build the RPMs for the latest version 2.0.0.21, and investigate why the issue with 2.0.0.19 not being present in the "updates" repo 5.3 happened, and why the new package 2.0.0.21 was not rebuilt even though it dates from more than one month ago?
Missing thunderbird was reported in the bug tracker as well.
http://bugs.centos.org/view.php?id=3593
Akemi
On Mon, May 11, 2009 at 2:33 AM, Karanbir Singh mail-lists@karan.org wrote:
Filipe Brandenburger wrote:
Hello,
I recently noticed that Thunderbird updates are missing from CentOS 5.
There are a few updates pending, I am going to look into this today. For both c4 and c5. We should be all caught up within the next 24 hrs.
- KB
Any update on this is greatly appreciated. I'm asking because of this forum post [1]:
"Something must be going wrong because some of these security updates are now two months delayed.
Do you know if Johnny has left the project? He used to stay pretty on top of these."
Thanks,
Akemi
[1] http://www.centos.org/modules/newbb/viewtopic.php?viewmode=thread&topic_...
On Mon, May 18, 2009 at 2:23 PM, Akemi Yagi amyagi@gmail.com wrote:
On Mon, May 11, 2009 at 2:33 AM, Karanbir Singh mail-lists@karan.org wrote:
Filipe Brandenburger wrote:
I recently noticed that Thunderbird updates are missing from CentOS 5.
There are a few updates pending, I am going to look into this today. For both c4 and c5. We should be all caught up within the next 24 hrs.
- KB
Any update on this is greatly appreciated. I'm asking because of this forum post [1]:
"Something must be going wrong because some of these security updates are now two months delayed.
Do you know if Johnny has left the project? He used to stay pretty on top of these."
If my memory is OK, there was a post, 2 or 3 months ago, that Johnny had a health issue. Hopefully, he is recovering and will return to the project soon!
on 5-18-2009 3:18 PM Lanny Marcus spake the following:
On Mon, May 18, 2009 at 2:23 PM, Akemi Yagi amyagi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
On Mon, May 11, 2009 at 2:33 AM, Karanbir Singh mail-lists-XASut8F7j/3YtjvyW6yDsg@public.gmane.org wrote:
Filipe Brandenburger wrote:
I recently noticed that Thunderbird updates are missing from CentOS 5.
There are a few updates pending, I am going to look into this today. For both c4 and c5. We should be all caught up within the next 24 hrs.
- KB
Any update on this is greatly appreciated. �I'm asking because of this forum post [1]:
"Something must be going wrong because some of these security updates are now two months delayed.
Do you know if Johnny has left the project? He used to stay pretty on top of these."
If my memory is OK, there was a post, 2 or 3 months ago, that Johnny had a health issue. Hopefully, he is recovering and will return to the project soon!
I did some searching of some of the places I have seen Johnny posting and he seems conspicuously absent since Mid December 2008. I hope he is OK also.
Scott Silva wrote:
on 5-18-2009 3:18 PM Lanny Marcus spake the following:
On Mon, May 18, 2009 at 2:23 PM, Akemi Yagi amyagi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
On Mon, May 11, 2009 at 2:33 AM, Karanbir Singh mail-lists-XASut8F7j/3YtjvyW6yDsg@public.gmane.org wrote:
Filipe Brandenburger wrote:
I recently noticed that Thunderbird updates are missing from CentOS 5.
There are a few updates pending, I am going to look into this today. For both c4 and c5. We should be all caught up within the next 24 hrs.
- KB
Any update on this is greatly appreciated. �I'm asking because of this forum post [1]:
"Something must be going wrong because some of these security updates are now two months delayed.
Do you know if Johnny has left the project? He used to stay pretty on top of these."
If my memory is OK, there was a post, 2 or 3 months ago, that Johnny had a health issue. Hopefully, he is recovering and will return to the project soon!
I did some searching of some of the places I have seen Johnny posting and he seems conspicuously absent since Mid December 2008. I hope he is OK also.
And now, upstream 4.8 is released... who will be handling this one? Karanbir?
-Greg
On 05/19/2009 12:10 AM, Greg Bailey wrote:
And now, upstream 4.8 is released... who will be handling this one? Karanbir?
The announcements came through last night, however the packages and isos had not come through when I looked last.
Scott Silva wrote:
on 5-18-2009 3:18 PM Lanny Marcus spake the following:
On Mon, May 18, 2009 at 2:23 PM, Akemi Yagi amyagi-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:
On Mon, May 11, 2009 at 2:33 AM, Karanbir Singh mail-lists-XASut8F7j/3YtjvyW6yDsg@public.gmane.org wrote:
Filipe Brandenburger wrote:
I recently noticed that Thunderbird updates are missing from CentOS 5.
There are a few updates pending, I am going to look into this today. For both c4 and c5. We should be all caught up within the next 24 hrs.
- KB
Any update on this is greatly appreciated. �I'm asking because of this forum post [1]:
"Something must be going wrong because some of these security updates are now two months delayed.
Do you know if Johnny has left the project? He used to stay pretty on top of these."
If my memory is OK, there was a post, 2 or 3 months ago, that Johnny had a health issue. Hopefully, he is recovering and will return to the project soon!
I did some searching of some of the places I have seen Johnny posting and he seems conspicuously absent since Mid December 2008. I hope he is OK also.
I'll add my "Me too". I have wondered dozens of times over the last few months where he is but being a pretty private person myself, I can certainly respect his maintaining a low profile.
On 05/18/2009 08:23 PM, Akemi Yagi wrote:
Any update on this is greatly appreciated. I'm asking because of this forum post [1]:
Should be there today
On Tue, May 19, 2009 at 2:36 AM, Karanbir Singh mail-lists@karan.org wrote:
There are a few updates pending, I am going to look into this today. For both c4 and c5. We should be all caught up within the next 24 hrs.
Any update on this is greatly appreciated. I'm asking because of this forum post [1]:
Should be there today
Here's a follow-up from the aforementioned forum thread (with minor edit). It's about the pending C4 updates:
We can't be the only ones still using C4 i386. Some of the outstanding security updates are rated critical; maybe people just don't realize how many unpatched vulnerabilities there are at this point.
One of the major "selling points" of CentOS is a long support period. That's called into question if security updates take months to appear. Caveat: I'm aware this is a volunteer project and we are very appreciative of the time the developers donate. We hesitated to bring up this issue at all until the updates were delayed by more than a month.
For the record, here is the list of currently unpatched CentOS4 i386 security vulnerabilities with the corresponding Bugzilla notices:
May 8 bugzilla@redhat.com (17K) [RHSA-2009:0476-01] Important: pango security update May 7 bugzilla@redhat.com (11K) [RHSA-2009:0474-01] Moderate: acpid security update Apr 30 bugzilla@redhat.com (11K) [RHSA-2009:0458-01] Important: gpdf security update Apr 30 bugzilla@redhat.com (12K) [RHSA-2009:0457-01] Moderate: libwmf security update Apr 21 bugzilla@redhat.com (25K) [RHSA-2009:0437-02] Critical: seamonkey security update Apr 16 bugzilla@redhat.com (12K) [RHSA-2009:0430-01] Important: xpdf security update Apr 16 bugzilla@redhat.com (13K) [RHSA-2009:0431-01] Important: kdegraphics security update Apr 16 bugzilla@redhat.com (17K) [RHSA-2009:0429-01] Important: cups security update Apr 14 bugzilla@redhat.com (15K) [RHSA-2009:0420-01] Moderate: ghostscript security update Apr 7 bugzilla@redhat.com (11K) [RHSA-2009:0411-01] Moderate: device-mapper-multipath security update Mar 27 bugzilla@redhat.com (23K) [RHSA-2009:0398-01] Critical: seamonkey security update Mar 25 bugzilla@redhat.com (8738) [RHSA-2009:0362-01] Moderate: NetworkManager security update Mar 24 bugzilla@redhat.com (11K) [RHSA-2009:0258-01] Moderate: thunderbird security update Mar 16 bugzilla@redhat.com (14K) [RHSA-2009:0355-01] Moderate: evolution and evolution-data-server security update Mar 16 bugzilla@redhat.com (15K) [RHSA-2009:0354-01] Moderate: evolution-data-server security update Mar 16 bugzilla@redhat.com (15K) [RHSA-2009:0344-01] Moderate: libsoup security update
[Updates dated May 18 have been deleted from the list]
Akemi Yagi wrote:
We can't be the only ones still using C4 i386. Some of the outstanding security updates are rated critical; maybe people just don't realize how many unpatched vulnerabilities there are at this point.
I run C4 i386, though my systems are on trusted networks whose only services are provided by 3rd party packages(mostly java/tomcat) and my CentOS 4.6 machines are the least of my worries when it comes to updates(hello RHEL 3 update 3!)
When we get audited later this year I will try to push us onto RHEL, should be easier to justify at that point.
nate
nate wrote:
Akemi Yagi wrote:
We can't be the only ones still using C4 i386. Some of the outstanding security updates are rated critical; maybe people just don't realize how many unpatched vulnerabilities there are at this point.
I run C4 i386, though my systems are on trusted networks whose only services are provided by 3rd party packages(mostly java/tomcat) and my CentOS 4.6 machines are the least of my worries when it comes to updates(hello RHEL 3 update 3!)
When we get audited later this year I will try to push us onto RHEL, should be easier to justify at that point.
nate
I think the point is that there must be something very wrong/broken if a) security updates are missing for over a month, and b) people don't even like to ask for fear of offending someone, and c) no one really talks about it.
One of the projects stated goals has always been to release updates within 72 hours, and often within 24 hours from upstream release. This isn't about missing that target by a day or two, but rather that security updates are completely missed altogether until someone notices and says something at which point they normally appear 24 hours later. It looks more like the process is broken to me, but as we have no idea what the process actually is it's impossible to tell.
Ned Slider wrote:
nate wrote:
Akemi Yagi wrote:
We can't be the only ones still using C4 i386. Some of the outstanding security updates are rated critical; maybe people just don't realize how many unpatched vulnerabilities there are at this point.
I run C4 i386, though my systems are on trusted networks whose only services are provided by 3rd party packages(mostly java/tomcat) and my CentOS 4.6 machines are the least of my worries when it comes to updates(hello RHEL 3 update 3!)
When we get audited later this year I will try to push us onto RHEL, should be easier to justify at that point.
nate
I think the point is that there must be something very wrong/broken if a) security updates are missing for over a month, and b) people don't even like to ask for fear of offending someone, and c) no one really talks about it.
when 5.3 late for weeks many people ask and the answer was always "when it'll be ready", and "don't ask it, if you need in time buy from upstream". so now no one dare to ask it:-(
Ned Slider wrote:
I think the point is that there must be something very wrong/broken if a) security updates are missing for over a month, and b) people don't even like to ask for fear of offending someone, and c) no one really talks about it.
One of the projects stated goals has always been to release updates within 72 hours, and often within 24 hours from upstream release. This isn't about missing that target by a day or two, but rather that security updates are completely missed altogether until someone notices and says something at which point they normally appear 24 hours later. It looks more like the process is broken to me, but as we have no idea what the process actually is it's impossible to tell.
Yes I agree, it seems that CentOS has been resource constrained for some time now, I'm not certain what the constraint is but myself I try not to complain since it is a volunteer effort. I've gotten the impression that there seems to be only a few(perhaps 4 or less) people working on the actual packaging stuff, and they probably don't get paid to make it a full time job, I'm sure it's not easy work.
It'd be nice of some of the bigger companies that benefit from CentOS would contribute more, as of a few years ago at least F5 Networks used CentOS code on their load balancers[CentOS 3.x, very stripped down](prices ranging from $15k-500k), I don't think they have switched distributions since. The NAS cluster we have here comes from a company called Exanet(list price over $100k), and it runs on CentOS 4.4. I'm sure there are several others..
Hopefully they can get the support they need to beef up things like security updates and stuff, it seems things have been going downhill for a while now.
nate
On Wed, May 20, 2009 at 3:00 PM, nate centos@linuxpowered.net wrote:
Ned Slider wrote:
I think the point is that there must be something very wrong/broken if a) security updates are missing for over a month, and b) people don't even like to ask for fear of offending someone, and c) no one really talks about it.
Yes I agree, it seems that CentOS has been resource constrained for some time now, I'm not certain what the constraint is but myself I try not to complain since it is a volunteer effort.
I don't think people are complaining. This includes the forum poster whose message I have been copying in this thread. They are concerned (possibly worried) - and wonder what is happening within the CentOS operation. Significant delays are not what we are accustomed to see.
Akemi
on 5-20-2009 3:19 PM Akemi Yagi spake the following:
On Wed, May 20, 2009 at 3:00 PM, nate centos-T6AQWPvKiI1cRAk/VAjCeQ@public.gmane.org wrote:
Ned Slider wrote:
I think the point is that there must be something very wrong/broken if a) security updates are missing for over a month, and b) people don't even like to ask for fear of offending someone, and c) no one really talks about it.
Yes I agree, it seems that CentOS has been resource constrained for some time now, I'm not certain what the constraint is but myself I try not to complain since it is a volunteer effort.
I don't think people are complaining. This includes the forum poster whose message I have been copying in this thread. They are concerned (possibly worried) - and wonder what is happening within the CentOS operation. Significant delays are not what we are accustomed to see.
Akemi
It seems that Johnny did a lot of work on 4's updates, and now with him MIA, the load has to fall on somebody else (Karanbir right now). CentOS doesn't have that many devels that the loss of one doesn't cause a profound impact.
On 05/20/2009 11:46 PM, Scott Silva wrote:
It seems that Johnny did a lot of work on 4's updates, and now with him MIA, the load has to fall on somebody else (Karanbir right now). CentOS doesn't have that many devels that the loss of one doesn't cause a profound impact.
A lot of the work has been, traditionally, been done manually. Over the last few weeks I've been working quite hard to make sure as much of that is automated as possible, and I know that C4 has suffered a bit - but the problem isnt nearly as bad as what people are making it out to be.
Give it a few more days, things will improve. Trust me on that :)
On Wed, May 20, 2009 6:46 pm, Scott Silva wrote:
It seems that Johnny did a lot of work on 4's updates, and now with him MIA, the load has to fall on somebody else (Karanbir right now). CentOS doesn't have that many devels that the loss of one doesn't cause a profound impact.
Would it be possible to increase the number of developers? Is there a way additional bodies can be put to work to relieve some of the pressure off of the current team members?
Marko
On 05/20/2009 11:55 PM, Marko A. Jennings wrote:
Would it be possible to increase the number of developers? Is there a way additional bodies can be put to work to relieve some of the pressure off of the current team members?
There are a lot of things going on around the edges that could use attention and to be honest, are much easier for new people to get into - that goes a *long* way in creating the resource pool and more focused groups.
On Wed, May 20, 2009 7:04 pm, Karanbir Singh wrote:
On 05/20/2009 11:55 PM, Marko A. Jennings wrote:
Would it be possible to increase the number of developers? Is there a way additional bodies can be put to work to relieve some of the pressure off of the current team members?
There are a lot of things going on around the edges that could use attention and to be honest, are much easier for new people to get into - that goes a *long* way in creating the resource pool and more focused groups.
I am an RHCE with, among other things, 20 years of Unix experience. How exactly can I contribute, aside from answering occasional question on the mailing list?
On 05/21/2009 12:59 AM, Marko A. Jennings wrote:
I am an RHCE with, among other things, 20 years of Unix experience. How exactly can I contribute, aside from answering occasional question on the mailing list?
Current requirements are actually quite developer heavy -> howse your python foo ? Atleast a couple of things in the wiki need attention.
Then there is the website Ver2 project that could use more people getting involved with. The newer, better mirror service management system is going to need attention and development. I've been working on a rspec oriented test harness for rpms, sort of like a unit tester but something that is environment aware ..... there are plenty of things going on that could use people :)
The centos-devel list, as always, is a good place to keep your eyes on, there must have been atleast a dozen various things that are open to contributions and help that have gone through there in the last few months.
btw, there is a wiki page that has a better list, and a more structured setup.
On Wed, May 20, 2009 8:15 pm, Karanbir Singh wrote:
On 05/21/2009 12:59 AM, Marko A. Jennings wrote:
I am an RHCE with, among other things, 20 years of Unix experience. How exactly can I contribute, aside from answering occasional question on the mailing list?
Current requirements are actually quite developer heavy -> howse your python foo ? Atleast a couple of things in the wiki need attention.
Sorry, I have only basic knowledge of Python, so I am not your man for that.
<snip>
The centos-devel list, as always, is a good place to keep your eyes on, there must have been atleast a dozen various things that are open to contributions and help that have gone through there in the last few months.
Thank you. I will subscribe to the devel list and watch for things that I can help with.
On Wed, May 20, 2009 at 3:00 PM, John R Pierce pierce@hogranch.com wrote:
We can't be the only ones still using C4 i386.
indeed not. quite a lot of our development/test systems are Centos 3 and 4 i386. Many of them are hardware that doesn't support am64
Yes, my own servers (not many -- nevertheless) are all running CentOS-4.
Akemi
-
Akemi Yagi -
Farkas Levente -
Filipe Brandenburger -
Greg Bailey -
John R Pierce -
Karanbir Singh -
Lanny Marcus -
Marko A. Jennings -
nate -
Ned Slider -
Robert -
Scott Silva