[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [gpsd-users] GPSD on Debian 10 (buster): allowing other hosts to acc

From: Gary E. Miller
Subject: Re: [gpsd-users] GPSD on Debian 10 (buster): allowing other hosts to access gpsd
Date: Mon, 30 Sep 2019 13:21:33 -0700

Yo Bernd!

On Mon, 30 Sep 2019 21:53:51 +0200
Bernd Zeimetz <address@hidden> wrote:

> On 9/29/19 11:25 PM, Gary E. Miller wrote:
> >> Which makes life for (almost) all distributions really hard.  
> > 
> > I fail to see how the numbering system affects anything.  Linus uses
> > the number of his toes (20).  If you prefer from now on 3.19.1, then
> > 3.19.2, then that is possible.  
> I'm not asking for a different way how releases are being named. I'm
> asking for stable point-releases which do not change the abi/api, but
> only fix bugs.

The API changes you have complained about in the past fixed bugs.  That
is the ONLY reason the API has changed in years.

So your request is logically impossible.

> >> A distribution can't just upload a new packages, neither to the
> >> current testing/development branch, nor to stable releases.  
> > 
> > And yet, many manage to do that just fine.  
> There are some differences:
> - some distributions just don't care if something breaks for some time
> - some have paid developers...
> - some are much bigger than others and do not have paid developers.

Lost me.  Relevance?

> Reverse Build-depends in main:
> ------------------------------
> alfred
> collectd
> direwolf
> foxtrotgps
> marble
> navit
> osmo-bts
> plasma-workspace
> s3d
> uhd
> viking

Thanks for the list.  I was unaware of those, and none have contacted
gpsd, at least for years.  Now how do we get get them the message that
they are using an old and known vulnerable API?

> > We are here to help.  
> Nothing you can help with, except you want to provide patches for
> ~half of the projects mentioned above.

The API change is trivial.  I'd be happy to work with any that
care to not be using a known broken API.

> >> That alone is not the problem, it happens automatically.  
> > 
> > Oh, well then, why bring it up?  
> We can't rebuild the everything every other day, transitions need to
> be coordinated.

Fair enough.  But taking several years is something very different.
Also a problem of Ubuntu's making.  Other distros do rebuild every day.

> >> But we also have other transitions that trigger a lot of rebuilds,
> >> so things need to be coordinated. Which takes some more time and
> >> ressources. Then gpsd is in a development release.  
> > 
> > Every distro handles that transitions differently.  Is there
> > something gpsd should do differently in there?  
> If you change things that need code changes in the projects which are
> using libgps, warn early. As soon as they land in git would be the
> best time...

Sadly CVE are by design private and no warning is possible.  NDA
prevented early disclosure of the one API change that you objected to.

> Avoiding soname bumps if possible would be nice, also (I know its not
> always possible, but often it is.

The API changes have been very few and far between.  The ABI changes
will be frequent as long as gpsd use C and C has no map class.

> >> For stable releases, this is impossible.  
> > 
> > Fair enough, but shipping 5 year old gpsd in a new "stable" release
> > is unfair to the gpsd users.  
> 5 years old? Please don't talk bullshit.
> 3.17: 2017-09-07. That is two years ago.
> 3.18: 2018-10-02 - we had a transition freeze on 2019-01-12 - two
> months are just not enough time to fix all packages which failed to
> build with the new release.

Uh, I was not talking about Ubuntu.  Don't take every thing personal.
I'm talking about RHEL which does ship 5+ year old software.

I could provide all the patches you need in two days.  If you are gonna
be slow, own it.

> >> We can't rebuild the whole archive. All we can do is to fix bugs
> >> without breaking other things. So..  
> > 
> > Yeah, boxed yourself in there, didn't you?  
> What do you mean? We've fixed the CVEs and at least those bugs in
> json.c in buster, and the CVE in oldstable... I had a look through
> the commit logs and actually asked on irc and by mail to esr if there
> is something else to fix, I did not get a reply - and I was not able
> to find another pickable commit. Don't blame me..

Apples and oranges.  There is no pickable backport by gpsd policy.  The
few that have been pointed out to you you have refused to apply.  No
point tossing you small one when you refuse the big ones.

> > And I'm with Linus on this one, flagging changes as CVEs, or
> > critical, just helps the black hats.  The kernel does not do it.  
> Should I get you the list of CVEs in the kernel?

I'm already on it.

> But the kernel people also tell distributions if there is something
> broken, so thats not an issue at all.

We must be reading a different LKML.

But, since you asked, the API change that you refuse to pick up is
the really big one that Ubuntu is missing.  If you are not gonna
do the big ones, I'm not wsintg my time on the little ones.

> >> So basically *you* need to tell the maintainers which issues need
> >> to be backported, and which ones are bad enough that they need a
> >> CVE or at least a security upload.  
> > 
> > I'm 100% against backports.  I am 100% with Linus that they are a
> > sore upon humanity.  If you feel the need to do that, then check
> > the gpsd git logs, issues and MR's.  
> Even the Linux kernel has LTS releases which are maintained for
> years...

And the proven track record of those is bad, which is why their number
and duration has been shinking fast.  As discussed on LKML.

> > I guess I'll take #3.  Not enough man power for the first two.  #3
> > will save us a lot of time helping people with broken packages.  
> Oh and it will save me a lot of time I seem to be wasting to package
> gpsd...

Seems to me, since you are on an admittedly two year old version, that
you wasted time amounts to near zero.

> Those packages are not broken.

Known bugs, that you refuse to fix.

> What you see are those who don't know
> how to use Linux.

Actually, it is just those that get cconfused by the turd that is

> Do you really want to help them to compile gpsd and

YES!  I'm sick of supporting Ubuntu's mistakes.

> have a ton of old, never updated installations out there?

It is Ubuntu that is never updated.

Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        address@hidden  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can't measure it, you can't improve it." - Lord Kelvin

Attachment: pgpkk9AUsdMNG.pgp
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]