From jaap at NLnetLabs.nl Wed Jul 4 11:49:32 2012 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Wed, 04 Jul 2012 13:49:32 +0200 Subject: [Opendnssec-maintainers] Change in source repository behavior ??? Message-ID: <201207041149.q64BnWmo048526@bartok.nlnetlabs.nl> LS. Did something change here? The FreeBSD port system fetches the tar ball with fetch -AFpr http://www.opendnssec.org/files/source/opendnssec-tarball however that stopped working and returns the error message fetch: http://www.opendnssec.org/files/source/opendnssec-tarball: Moved Temporarily Dropping the A from the options to fetch make it work again as expected. Nevertheless, it would be nice if the old behavior could be restored. jaap From jerry at opendnssec.org Wed Jul 4 12:12:02 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 4 Jul 2012 14:12:02 +0200 Subject: [Opendnssec-maintainers] Change in source repository behavior ??? In-Reply-To: <201207041149.q64BnWmo048526@bartok.nlnetlabs.nl> References: <201207041149.q64BnWmo048526@bartok.nlnetlabs.nl> Message-ID: Hi Jaap, On Jul 4, 2012, at 13:49 , Jaap Akkerhuis wrote: > Did something change here? The FreeBSD port system fetches the tar ball > with > > fetch -AFpr http://www.opendnssec.org/files/source/opendnssec-tarball > however that stopped working and returns the error message > > fetch: http://www.opendnssec.org/files/source/opendnssec-tarball: Moved Temporarily > > Dropping the A from the options to fetch make it work again as > expected. Nevertheless, it would be nice if the old behavior could > be restored. We have temporarily setup an redirect from http://www.opendnssec.org/files/ to http://dist.opendnssec.org/ in order to be able to release during summer time because people with the right access might be away. Hope you understand. This will change in the few months to come to a more permanent solution. If FreeBSD (or any other) requires you do get source files without an redirect you can change the url to http://dist.opendnssec.org/source/opendnssec-tarball for the time being. There will come more information about the move as soon as its decided and available. Cheers, Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jaap at NLnetLabs.nl Wed Jul 4 12:22:49 2012 From: jaap at NLnetLabs.nl (Jaap Akkerhuis) Date: Wed, 04 Jul 2012 14:22:49 +0200 Subject: [Opendnssec-maintainers] Change in source repository behavior ??? In-Reply-To: References: <201207041149.q64BnWmo048526@bartok.nlnetlabs.nl> Message-ID: <201207041222.q64CMnt3073526@bartok.nlnetlabs.nl> Hi Jerry, If FreeBSD (or any other) requires you do get source files without an redirect you can change the url to http://dist.opendnssec.org/source/opendnssec-tarball for the time being. Thanks for this info. I'll add this to the port. There will come more information about the move as soon as its decided and available. Yes, keep us informed. Thanks. jaap From jerry at opendnssec.org Sun Jul 8 13:22:03 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Sun, 8 Jul 2012 15:22:03 +0200 Subject: [Opendnssec-maintainers] Re: [Opendnssec-develop] WARNING: 1.4.0a1 appears in Red Hat Enterprise Linux repositories In-Reply-To: <4762EEA4-6F7B-4803-9C1F-E4CF82C8837D@surfnet.nl> References: <4762EEA4-6F7B-4803-9C1F-E4CF82C8837D@surfnet.nl> Message-ID: Hi, This is the works of Paul Wouters. I have pointed this out to him and posted on EPEL issue (https://bugzilla.redhat.com/show_bug.cgi?id=711899) that this is an ALPHA release and should not be pushed to production. It went unnoticed... opendnssec-1.4.0-0.a1.el6.2 has been pushed to the Fedora EPEL 6 stable repository. opendnssec-1.4.0-0.a1.fc16.2 has been pushed to the Fedora 16 stable repository. opendnssec-1.4.0-0.a1.fc17.2 has been pushed to the Fedora 17 stable repository. /Jerry On Sun, Jul 8, 2012 at 2:55 PM, Roland van Rijswijk - Deij wrote: > Hi all, > > A friendly warning: we are currently dealing with the fall out from what appears to be a stupid mistake by Red Hat. OpenDNSSEC 1.4.0a1 has appeared in repositories that are apparently configured on production systems by default. Consequently, our well-managed 1.3.9 install has been upgraded to 1.4.0a1 and all configuration has been wiped. > > I don't know which one of you (if any) has contacts at Fedora/Red Hat, but please tell them that 1.4.0 is an alpha that should NEVER end up in production repositories? From pwouters at redhat.com Sun Jul 8 18:43:45 2012 From: pwouters at redhat.com (Paul Wouters) Date: Sun, 8 Jul 2012 14:43:45 -0400 (EDT) Subject: [Opendnssec-maintainers] Re: [Opendnssec-develop] WARNING: 1.4.0a1 appears in Red Hat Enterprise Linux repositories In-Reply-To: References: <4762EEA4-6F7B-4803-9C1F-E4CF82C8837D@surfnet.nl> Message-ID: On Sun, 8 Jul 2012, Jerry Lundstr?m wrote: Hi Jerry, > I have pointed this out to him and posted on EPEL issue > (https://bugzilla.redhat.com/show_bug.cgi?id=711899) that this is an > ALPHA release and should not be pushed to production. To ensure your repositories always have a "newer" version compared to EPEL, please bump the epoch in your spec file and rebuild. This will ensure your packages always have preference over the EPEL tree. If Fedora/EPEL for whatever reason would need to set an epoch ourselves, we would give everyone notice so they could take preventive action. On Sun, Jul 8, 2012 at 2:55 PM, Roland van Rijswijk wrote: > Hi all, > > A friendly warning: we are currently dealing with the fall out from what appears to be a stupid mistake by Red Hat. OpenDNSSEC 1.4.0a1 has appeared in repositories that are apparently configured on production systems by default. Consequently, our well-managed 1.3.9 install has been upgraded to 1.4.0a1 and all configuration has been wiped. Note that rpm normally does not "wipe" configuration files, but creates either .rpmnew files, or saves old configs as .rpmsave files. So I am not sure what happened on that upgrade. Perhaps the custom spec files used had not marked all the config files with "noreplace" in their spec file? I am not sure what the rpm behaviour is when the non-epel spec file does not mark a file as noreplace, and the epel spec file installing over that. It could also be that different install paths are used. If someone gives me a link to the spec file used, I can see if we can ensure this would not happen in the future. (I did not see any links to the spec/rpms at http://www.opendnssec.org/download/packages/) Paul From sara at sinodun.com Thu Jul 12 10:51:01 2012 From: sara at sinodun.com (Sara (Sinodun)) Date: Thu, 12 Jul 2012 11:51:01 +0100 Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) In-Reply-To: References: Message-ID: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> >> Unfortunately an alpha release of 1.4.0 (1.4.0a1) has been pushed to >> Fedora 16 / 17 and EPEL 6 stable repositories [1]. > > Note these were pushed months ago. An update on this from the OpenDNSSEC team perspective. The decision to push the1.4.0a1 release into EPEL was made by the package maintainer, against the advice of the OpenDNSSEC team. The ODS team does not consider this (or any alpha release) production ready and does not recommend the use of alphas in production environments. A discussion as to how to resolve the disagreement with regard to the version of ODS currently in EPEL is ongoing. We encourage users to test alpha releases in controlled test environments and value the feedback we get. We are also very pleased that an effort is underway to include OpenDNSSEC in EPEL. However our advice remains that only the official, stable releases should be used in production and we are working towards an official release of 1.4.0. > >> An upgrade can be devastating to your system, wipe configurations, so >> I would advise against it until this matter is resolved. > > As rpm never wipes config files, I looked into this and found that > there is a bug in the opendnssec.spec.in file shipped in trunk: > > %files > %defattr(-,opendnssec,opendnssec) > %config %{_sysconfdir}/opendnssec/* Unfortunately this file had not been updated in some time and anyone who had used this as the basis of a spec file would indeed have suffered from this issue. In future we will not ship a spec file, but leave it to the expert packager maintainers to develop such files as appropriate to their package. Sara. From sara at sinodun.com Thu Jul 12 10:56:40 2012 From: sara at sinodun.com (Sara (Sinodun)) Date: Thu, 12 Jul 2012 11:56:40 +0100 Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) References: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> Message-ID: <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> Hi Maintainers, Firstly, given the recent push of an alpha release to the EPEL repository I would like to request input on the general principle of using alpha releases in packages. Secondly, my understanding is that the potential actions once a release in the EPEL repository is one of the following: 1) Remove opendnssec from EPEL for now 2) Downgrade 1.4.0a1 to 1.3.x using Epoch:1 and try to downgrade the db 3) Leave opendnssec 1.4.0a1 in EPEL The downgrade path for ODS is untested, could have unexpected consequences and involves a change to the Epoch. Therefore (given that the ODS team does not support the use an alpha release in EPEL) I would like to propose that 1) is undertaken. Paul (as package maintainer) - I believe at this point you still plan on 3? Any thoughts or suggestions on how to resolve this difference of opinion are gratefully received. Sara. Begin forwarded message: > From: "Sara (Sinodun)" > Date: 12 July 2012 11:51:01 GMT+01:00 > To: opendnssec-user at lists.opendnssec.org, opendnssec-maintainers at lists.opendnssec.org > Cc: Paul Wouters > Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) > > >>> Unfortunately an alpha release of 1.4.0 (1.4.0a1) has been pushed to >>> Fedora 16 / 17 and EPEL 6 stable repositories [1]. >> >> Note these were pushed months ago. > > An update on this from the OpenDNSSEC team perspective. > > The decision to push the1.4.0a1 release into EPEL was made > by the package maintainer, against the advice of the OpenDNSSEC team. The ODS > team does not consider this (or any alpha release) production ready and does not > recommend the use of alphas in production environments. A discussion as to how to > resolve the disagreement with regard to the version of ODS currently in EPEL is ongoing. > > We encourage users to test alpha releases in controlled test environments and value the > feedback we get. We are also very pleased that an effort is underway to include > OpenDNSSEC in EPEL. > > However our advice remains that only the official, stable releases should be used in > production and we are working towards an official release of 1.4.0. > >> >>> An upgrade can be devastating to your system, wipe configurations, so >>> I would advise against it until this matter is resolved. >> >> As rpm never wipes config files, I looked into this and found that >> there is a bug in the opendnssec.spec.in file shipped in trunk: >> >> %files >> %defattr(-,opendnssec,opendnssec) >> %config %{_sysconfdir}/opendnssec/* > > Unfortunately this file had not been updated in some time and anyone who had used > this as the basis of a spec file would indeed have suffered from this issue. In future > we will not ship a spec file, but leave it to the expert packager maintainers to develop > such files as appropriate to their package. > > Sara. > > > _______________________________________________ > Opendnssec-maintainers mailing list > Opendnssec-maintainers at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-maintainers ------------------------- Sara Dickinson http://sinodun.com Sinodun Internet Technologies Ltd. Stables 4, Suite 11 Howbery Park, Wallingford, Oxfordshire, OX10 8BA, U.K. -------------- next part -------------- An HTML attachment was scrubbed... URL: From pwouters at redhat.com Thu Jul 12 14:36:11 2012 From: pwouters at redhat.com (Paul Wouters) Date: Thu, 12 Jul 2012 10:36:11 -0400 (EDT) Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) In-Reply-To: <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> References: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> Message-ID: On Thu, 12 Jul 2012, Sara (Sinodun) wrote: > Firstly, given the recent push of an alpha release to the EPEL repository I would like to request input on > the general principle of using alpha releases in packages.? > > Secondly, my understanding is that the potential actions once a release in the EPEL repository is one of > the following: > > 1) Remove opendnssec from EPEL for now > 2) Downgrade 1.4.0a1 to 1.3.x using Epoch:1 and try to downgrade the db > 3) Leave opendnssec 1.4.0a1 in EPEL > > The downgrade path for ODS is untested, could have unexpected consequences and involves a change to the > Epoch. Therefore?(given that the ODS team does not support the use an alpha release in EPEL)?I would like > to propose that 1) is undertaken.? > > Paul (as package maintainer) -? I believe at this point you still plan on 3? Yes. Removing a package also has side effects. Anyone with the package installed will be prevented from updating some libraries (eg botan) on their system because an old opendnssec package is compiled against it. Inevitably it would result in a conflict where some package insists on a newer library and the old opendnssec will depend on the old library, and the system will no longer be able to update itself without manual intervention by the sysadmin. Apart from that, I don't see the value of taking the option of people to run opendnssec from them, solely based on the definition of "alpha", especially since we determined the damage done recently was not in any way related to the EPEL package. 1.3.x rpms outside Fedora/EPEL do not seem to be readily available, especially if you also kill the spec file in opendnssec. People wanting to run opendnssec on RHEL would simply grab the SRPM from Fedora and end up in the exact same situation. Except they would have had to do more manual work for no apparent reason. It would likely lead to some other developer requesting an opendnssec branch for EPEL, and we'd be back at where we are today. > Any thoughts or suggestions on how to resolve this difference of opinion are gratefully received. I'd say the best way forward is to keep a very close eye on 1.4.x alpha in Fedora/EPEL and move it to a stable 1.4.0 release when we can. I could add some documentation to the description of the package that warns people this is alpha code and that they might want to use 1.3.x instead. Also, I am looking into the issue of the spec file, so that we can prevent future "overwriting config files" problems for people who installed opendnssec from the spec file shipped with opendnssec. Paul From ondrej at sury.org Fri Jul 13 07:44:25 2012 From: ondrej at sury.org (=?UTF-8?B?T25kxZllaiBTdXLDvQ==?=) Date: Fri, 13 Jul 2012 09:44:25 +0200 Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) In-Reply-To: References: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> Message-ID: On Thu, Jul 12, 2012 at 4:36 PM, Paul Wouters wrote: > I'd say the best way forward is to keep a very close eye on 1.4.x alpha > in Fedora/EPEL and move it to a stable 1.4.0 release when we can. I > could add some documentation to the description of the package that warns > people this is alpha code and that they might want to use 1.3.x instead. Again with my (Debian) maintainer hat ON: I would agree with adding big fat warning about the version in EPEL being alpha to package description and leave it be. Much less collateral damage than downgrading (database changes) or removing (people who already installed will be left in the open). O. -- ?Ond?ej Sur? From sara at sinodun.com Fri Jul 13 14:16:46 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 13 Jul 2012 15:16:46 +0100 Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) In-Reply-To: References: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> Message-ID: <6324E70E-23F2-4E2C-8021-D1732F65B31C@sinodun.com> On 13 Jul 2012, at 08:44, Ond?ej Sur? wrote: > On Thu, Jul 12, 2012 at 4:36 PM, Paul Wouters wrote: >> I'd say the best way forward is to keep a very close eye on 1.4.x alpha >> in Fedora/EPEL and move it to a stable 1.4.0 release when we can. I >> could add some documentation to the description of the package that warns >> people this is alpha code and that they might want to use 1.3.x instead. > > Again with my (Debian) maintainer hat ON: I would agree with adding big fat > warning about the version in EPEL being alpha to package description and > leave it be. > > Much less collateral damage than downgrading (database changes) or removing > (people who already installed will be left in the open). > > O. > -- > ?Ond?ej Sur? Ond?ej, Paul - thanks for the input. I can see there can be genuine technical issues with a removal too. So, given that we are where we are, how about a warning along the lines of: "The 1.4.0a1 release of OpenDNSSEC is included for testing purposes only. It should NOT be installed in production environments. Please see http://www.opendnssec.org/download/ for the latest stable release." Sara. From pwouters at redhat.com Sun Jul 15 21:28:15 2012 From: pwouters at redhat.com (Paul Wouters) Date: Sun, 15 Jul 2012 17:28:15 -0400 Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) In-Reply-To: <6324E70E-23F2-4E2C-8021-D1732F65B31C@sinodun.com> References: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> <6324E70E-23F2-4E2C-8021-D1732F65B31C@sinodun.com> Message-ID: <500335EF.2000604@redhat.com> On 07/13/2012 10:16 AM, Sara Dickinson wrote: > Ond?ej, Paul - thanks for the input. I can see there can be genuine technical issues with a removal too. > > So, given that we are where we are, how about a warning along the lines of: > > "The 1.4.0a1 release of OpenDNSSEC is included for testing purposes only. It should NOT be installed in production environments. > > Please see http://www.opendnssec.org/download/ for the latest stable release." I would personally say "not recommended for" versus "should NOT be used". It's opensource software, which should make recommendations to it users, but not try and dictate to its users. Something like "We strongly recommend this release is not used in production". As a side note, if you want people to test an alpha version, you should really give them an upgrade path to the final release. No one outside the core dev team will try alpha/beta releases unless they have a practical need (it resolves a problem for them) and then they're stuck in that migration path. Those are also the people that will give you more real life feedback. My experience as openswan upstream in the last 10 years has been that prereleases are almost completely ignored by everyone. Openswan does "DR" (developer release) and "RC" (Release Candidate) versions, but those have rarely received feedback outside the core developers, who often run git head anyway, or people who need it because of an important fix more recent then the latest full release. Paul From sara at sinodun.com Mon Jul 16 12:45:30 2012 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 16 Jul 2012 13:45:30 +0100 Subject: [Opendnssec-maintainers] Re: [Opendnssec-user] Warning to all EPEL 6 users (Red Hat / Fedora / CentOS etc) (fwd) In-Reply-To: <500335EF.2000604@redhat.com> References: <972EE5F9-6351-429C-82BA-CAC86148566B@sinodun.com> <93C38B5D-2794-437B-828E-126488EFD187@sinodun.com> <6324E70E-23F2-4E2C-8021-D1732F65B31C@sinodun.com> <500335EF.2000604@redhat.com> Message-ID: On 15 Jul 2012, at 22:28, Paul Wouters wrote: >> So, given that we are where we are, how about a warning along the lines of: >> >> "The 1.4.0a1 release of OpenDNSSEC is included for testing purposes only. It should NOT be installed in production environments. >> >> Please see http://www.opendnssec.org/download/ for the latest stable release." > > I would personally say "not recommended for" versus "should NOT be > used". It's opensource software, which should make recommendations to it > users, but not try and dictate to its users. Something like "We strongly > recommend this release is not used in production". Point taken - that would work. Sara.