Leak of Frameworks 5.88.0

Ben Cooksley bcooksley at kde.org
Sun Nov 14 03:52:46 GMT 2021 

On Sun, Nov 14, 2021 at 9:42 AM Marc Deop i Argemí <
marcdeop at fedoraproject.org> wrote:

> On Saturday, 13 November 2021 03:49:32 CET Ben Cooksley wrote:
> > Hi all,
>

Hi Marc,

>
> > It has recently been brought to my attention that packages of KDE
> > Frameworks 5.88.0 have been prematurely released by the distribution
> > PCLinuxOS, as visible at https://repology.org/project/krunner/versions
> >
>
> Maybe (hopefully) it was just a mistake?  We should contact them and ask.
> ( I
> acknowledge this seems like wishful thinking though).
>
> > they obtained the packages from someone else (either because they
> directly
> > shared their access, because they shared the packages with PCLinuxOS or
> > because PCLinuxOS has discovered the location of source packages for one
> or
> > more distributions).
>
> As Neal mentioned in another email, some distros already have the packages
> prepared and they are publicly available (Fedora, Maegia and possibly
> others)
> although not in their stable releases.
>
> In particular, we (Fedora KDE-SIG) build the packages in Rawhide (the
> development version of Fedora) and we use a COPR( like an Ubuntu PPA)
> under my
> namespace to build packages for early adopters who help us find issues.
>
> Unfortunately, if somebody wants to gather the sources from those places
> they
> certainly can do so without real blockers.
>
> If it's a problem, we can stop building in COPR until the release is
> official. I
> asked a few months ago and I was told it was ok to have it as long as it
> was
> not publicly announced ( I don't remember who told me though, apologies).
>

That may have been me :)


> The big problem here is: not building in Rawhide would complicate
> preparing
> packages quite a bit for us. We could probably find a solution, of course,
> but
> I rather not change the existing mechanism for practical reasons.
>

As long as the COPR repository in question is not widely advertised I think
what you're doing is perfectly fine.
>From my understanding your repository is only shared among members of your
team and it isn't marked as official so nobody else should be aware of it.


>
> > It would be appreciated if distributions could please review whether it
> is
> > possible that PCLinuxOS obtained the packages via them and ask the
> > PCLinuxOS team to please contact us as it would be preferrable that such
> > premature leaks/releases did not take place.
> >
>
> I will make sure to bring this up on our (Fedora KDE-SIG) next meeting on
> Monday to talk about it. Any KDE person is more than welcome to join
> (Nate,
> Carl, Aleix join us somehow often :-) )
>

Thanks.

One possibility is that distributions could periodically change the
location where they "stage" the packages before release (by renaming the
repository, creating a new one, etc) to ensure that only those who should
be aware of the correct URL to the repository have it to hand.

Cheers,
Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/release-team/attachments/20211114/4ba11e7b/attachment.htm>

More information about the release-team mailing list