Leak of Frameworks 5.88.0

Marc Deop i Argemí marcdeop at fedoraproject.org
Sat Nov 13 20:42:05 GMT 2021 

On Saturday, 13 November 2021 03:49:32 CET Ben Cooksley wrote:
> Hi all,
> 
> It has recently been brought to my attention that packages of KDE
> Frameworks 5.88.0 have been prematurely released by the distribution
> PCLinuxOS, as visible at https://repology.org/project/krunner/versions
> 

Maybe (hopefully) it was just a mistake?  We should contact them and ask. ( I 
acknowledge this seems like wishful thinking though).

> they obtained the packages from someone else (either because they directly
> shared their access, because they shared the packages with PCLinuxOS or
> because PCLinuxOS has discovered the location of source packages for one or
> more distributions).

As Neal mentioned in another email, some distros already have the packages 
prepared and they are publicly available (Fedora, Maegia and possibly others) 
although not in their stable releases.

In particular, we (Fedora KDE-SIG) build the packages in Rawhide (the 
development version of Fedora) and we use a COPR( like an Ubuntu PPA) under my 
namespace to build packages for early adopters who help us find issues.

Unfortunately, if somebody wants to gather the sources from those places they 
certainly can do so without real blockers.

If it's a problem, we can stop building in COPR until the release is official. I 
asked a few months ago and I was told it was ok to have it as long as it was 
not publicly announced ( I don't remember who told me though, apologies).

The big problem here is: not building in Rawhide would complicate preparing 
packages quite a bit for us. We could probably find a solution, of course, but 
I rather not change the existing mechanism for practical reasons.

> It would be appreciated if distributions could please review whether it is
> possible that PCLinuxOS obtained the packages via them and ask the
> PCLinuxOS team to please contact us as it would be preferrable that such
> premature leaks/releases did not take place.
>

I will make sure to bring this up on our (Fedora KDE-SIG) next meeting on 
Monday to talk about it. Any KDE person is more than welcome to join (Nate, 
Carl, Aleix join us somehow often :-) )

More information about the release-team mailing list