Leak of Frameworks 5.88.0

Ben Cooksley bcooksley at kde.org
Sat Nov 13 17:40:06 GMT 2021


On Sun, Nov 14, 2021 at 12:11 AM Nicolas Lécureuil <kde at nicolaslecureuil.fr>
wrote:

> Le 2021-11-13 04:15, Neal Gompa a écrit :
> > On Fri, Nov 12, 2021 at 9:49 PM Ben Cooksley <bcooksley at kde.org> wrote:
> >>
> >> Hi all,
> >>
> >> It has recently been brought to my attention that packages of KDE
> >> Frameworks 5.88.0 have been prematurely released by the distribution
> >> PCLinuxOS, as visible at https://repology.org/project/krunner/versions
> >>
> >> This is somewhat concerning for several reasons, but in particular
> >> because they don't have an early access packager account of their own
> >> - meaning they obtained the packages from someone else (either because
> >> they directly shared their access, because they shared the packages
> >> with PCLinuxOS or because PCLinuxOS has discovered the location of
> >> source packages for one or more distributions).
> >>
> >> This is now the second time in as many months that packages have been
> >> made available earlier than they should have by one or more
> >> distributions.
> >>
> >> While this isn't a substantial problem, it is of concern as the
> >> purpose of the pre-release mechanism is to allow any final issues to
> >> be ironed out before the final release is announced and made publicly
> >> available - which this premature release is defeating.
> >>
> >> It would be appreciated if distributions could please review whether
> >> it is possible that PCLinuxOS obtained the packages via them and ask
> >> the PCLinuxOS team to please contact us as it would be preferrable
> >> that such premature leaks/releases did not take place.
> >>
> >
> > I would be very shocked if PCLinuxOS interacts with the KDE community
> > at all. My understanding is that they're quite insular and they grab
> > package sources from other distros for their builds.
> >
> > At least right now, Fedora Rawhide and Mageia Cauldron have KF5 5.88
> > committed and built. Chances are pretty good that they got it from
> > there. Fedora committed it 3 days ago. Mageia did it 4 days ago.
> >
> > If you want them to hold back, you'll have to reach out to PCLinuxOS
> > yourself.
>
> Hi,
>

HI Nicolas,


> i don't know if this is us or not but in any case we will be more
> careful on when we release.
>

Your publication of the release has been fine - about the only thing I
might suggest is periodically changing the location of your staging/test
repository which contains the packages to break any automation people like
the folks at PCLinuxOS have if they are harvesting the packages from you.


> When we receive the mail about new release can we have the real "embargo
> date" ?
>
> --
> Regards,
> Nicolas Lécureuil
> Mageia KDE Team
>

Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/distributions/attachments/20211114/788df551/attachment-0001.htm>


More information about the Distributions mailing list