RE: [opensuse-security] What's the matter with the OBS PGP keys?
Hi Darix, Although I am mostly merely lurking I do understand his frustration. The biggest problem any project can suffer from is the lack of communication, or bad communication. I really like to use OpenSuSE, because I think it is a really good distro, but the general attitude towards Carlos issue gives me an uncomfortable feeling. He expressed something and he gets attacked on not being constructive? If he was not constructive he would not have raised the issue in the first place. Yeah, maybe he raised it not the way it should have, but instead of being destructive towards him, I think people should really look at his intent before sending off emails like that. We are all people and I think we all benefit the most if we have open and genuine communication. Brushing the issue aside is certainly not the way it should have been handled. Kind regards, Manfred Riem
-------- Original Message -------- Subject: Re: [opensuse-security] What's the matter with the OBS PGP keys? From: Marcus Rueckert <darix@opensu.se> Date: Tue, August 03, 2010 9:55 am To: opensuse-security@opensuse.org
hi,
If you would handle the whole issue a bit less emo and would work on a solution pragmatically instead, we would be much further in solving the issue.
A tutorial has be posted on the 2 big packaging related lists to remind people to check their project keys. And people already looked into their projects.
And i will see if i can come up with a script to find all expired keys.
Complaining on as many channels as possible doesnt really get the issue forward.
darix
-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 2010-08-03 09:26:56 -0700, Manfred Riem wrote:
Although I am mostly merely lurking I do understand his frustration. The biggest problem any project can suffer from is the lack of communication, or bad communication. I really like to use OpenSuSE, because I think it is a really good distro, but the general attitude towards Carlos issue gives me an uncomfortable feeling.
He expressed something and he gets attacked on not being constructive? If he was not constructive he would not have raised the issue in the first place.
Yeah, maybe he raised it not the way it should have, but instead of being destructive towards him, I think people should really look at his intent before sending off emails like that. We are all people and I think we all benefit the most if we have open and genuine communication.
Brushing the issue aside is certainly not the way it should have been handled.
nobody is brushing issues asside. I have been working 2-3 hours or so today on getting things moving. The way he was discussing the issue and behaving if people didnt 100% followed his view, wasnt really constructive at all. Even after we pointed out that his claims had been wrong. So instead of whining on as many lists/channels as possible, it would have been way more productive to ask people "is it possible to fix the keys and how?" "how is the best way to notify them? "who can help me with that?" "how can we improve it in the future" And that is exactly the list i worked down. And it got us much further than the discussions on the mailinglist/bugzilla. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-08-03 18:45, Marcus Rueckert wrote:
nobody is brushing issues asside. I have been working 2-3 hours or so today on getting things moving.
Yes, they have. The bugzilla has been closed several times as WONTFIX, that is, will not fix. So, go away, that's what they told me.
The way he was discussing the issue and behaving if people didnt 100% followed his view, wasnt really constructive at all. Even after we pointed out that his claims had been wrong.
So instead of whining on as many lists/channels as possible, it would have been way more productive to ask people
"is it possible to fix the keys and how?" "how is the best way to notify them? "who can help me with that?" "how can we improve it in the future"
Nobody told me how to report or handle this. It is not documented. I'm not a packager, I know next to nothing about how the OBS works. The report started in the forum. I verified the issue. I considered it a security issue, a grave and urgent one, although it does not affect me. So I thought I would report it officially on behalf of others. First I reported in a bugzilla, which I understand is the official communication method for bugs in the openSUSE project, and I waited about two days. No answer. Then I reported on the project list, and waited one or two days more. No answer. Then I reported on the security list, and only then I started to see a reaction, namely, close the issue as wontfix. Nobody took the time to tell me: "ok, we'll take this over to the packaging list", or where ever is appropriate. Most took time to rebate that it was not an issue, that the sample repo I gave was corrected, that it was not their problem, whatever. Few people have been helpful. It appears that somebody (you say you worked some hours in this and I believe you) did take this to the packaging list (to which I'm not subscribed), and maintainers have started to correct their PGP keys - which remember is an important security issue - but nobody took the time to drop me a line saying that they were handling this. Nobody. And from the little I'm reading here (I'm not subscribed to the packaging list, no idea what has been said there), it appears that you (plural) are blaming me with not very kind words. That's what happens to somebody trying to help. For an issue that, let me remind you, does not affect me, but others for whom I took the burden of reporting. No more. (I have received kind letters, off list, even from people outside the project, about this. Thanks go to them) - -- Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkxYcB8ACgkQU92UU+smfQVHEACfQe0PyFyn1xwCGzcFm6aNv0dh s74AnjbCklWwHCyv4FBF7bnE8IGDCeCw =ws9N -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Carlos E. R. -
Manfred Riem -
Marcus Rueckert