[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why [bug#47081] Remove mongodb?
From: |
zimoun |
Subject: |
Re: Why [bug#47081] Remove mongodb? |
Date: |
Wed, 17 Mar 2021 22:24:09 +0100 |
On Wed, 17 Mar 2021 at 20:11, Léo Le Bouter <lle-bout@zaclys.net> wrote:
> On Wed, 2021-03-17 at 19:51 +0100, zimoun wrote:
>> It shows exactly my point. The correct and polite way of doing the
>> thing is first to examine the issue at hand (3.4.10 is old with
>> security
>> vulnerabilities), then propose a fix (e.g., the removal), wait
>> feedback,
>> and complete.
>
> Actually we did not know pushing a security fix with 3.4.24 was not
> fine, from quick auditing I have made 3.4.24 would still be under AGPL
> so it would be fine to upgrade, turns out not since some files inside
> are under SSPL but that was discovered way later, even when Efraim had
Later means here only hours.
> doubt and reverted my commit we had a debate and Efraim bought my
> arguing even though I was wrong and they were right, if for every
> security issue I have to ask feedback I may not ship them in a timely
> manner, so that's also why they tend to be pushed faster than usual..
Haste is not speed.
> we may want to establish a clear process here. I usually create issues
> for things I need help on, if I can do it myself and feel confident, I
> just push, I can be wrong of course and always sorry for issues, I fix
> them shortly in next commits if any.
I really appreciate your valuable work. I have the impression you think
that you have to push as fast as you can, whatever if it is the right
fix. If I might, first please avoid to burn out and second do not
worry, the world will not explode because of a security vulnerability in
Guix. Maybe one day when Guix will dominate the world, soon! :-)
I am not convinced that the regular Guix user is upgrading their package
set twice a day; maybe once a week at best and more probably time to
time. Guix is rooted in The Right Thing™ and sometimes it means delay
to think what the right thing really is. Therefore, the process is
already clear: go via guix-patch for non-trivial changes and wait
feedback.
At the end, I cannot express better what Tobias wrote:
<https://yhetil.org/guix/87ft0un7ma.fsf@nckx>
or Leo:
<https://yhetil.org/guix/YFEDt/PUd2ZeC6/F@jasmine.lan>
All the best,
simon
Re: Why [bug#47081] Remove mongodb?, Ludovic Courtès, 2021/03/20
Re: Why [bug#47081] Remove mongodb?, Léo Le Bouter, 2021/03/17