[Zope] Re: [Zope-Annce] Zope 2.8.9, Zope 2.9.7, Zope 2.10.3 released
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marc Balmer wrote:
Andreas Jung wrote:
I uploaded corrected versions of the Zope 2.9.7 and 2.10.3 tar-balls. The tar-balls released yesterday contained a bug that caused a startup failure when using "zopectl start".
don't do this again.
Don't do what? I was about to agree, as I don't think re-releasing under the same version number was correct: the new releases should be 2.9.7.1, 2.10.3.1, or something similary (or bump to 2.9.8, 2.10.4).
this bug is so obvious to catch that I have some serious doubts about your software testing process. are you releasing totally untested code? can we trust your releases in the future, will you change sth in your process?
The testing that gets done is not done from "released" tarballs, but from subversion checkouts. This was a bug in the process that created the tarball from a checkout, and not in the underlying Zope software itself. I *think* it also affected only those who build and install Zope as root, although I can't tell for sure, since the tarballs have been replaced. At any rate, I *never* build, install, or run Zope as root, and hence would never have noticed the problem, even if I were doing the releases myself.
Releasing software as a security fix that does not even start makes you look like a moron, I am sorry to say.
Too harsh. Certainly nobody likes having released a "brown bagger", but mistakes do happen. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCDHa+gerLs4ltQ4RAqHbAJ9UvloqzCCj9NrCaGSeYZDfZduaJwCdFH5l ydlyxzoHGP7aNnVjG1IJClU= =6vHA -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tres Seaver wrote:
Marc Balmer wrote:
Andreas Jung wrote:
I uploaded corrected versions of the Zope 2.9.7 and 2.10.3 tar-balls. The tar-balls released yesterday contained a bug that caused a startup failure when using "zopectl start". don't do this again.
Don't do what? I was about to agree, as I don't think re-releasing under the same version number was correct: the new releases should be 2.9.7.1, 2.10.3.1, or something similary (or bump to 2.9.8, 2.10.4).
this bug is so obvious to catch that I have some serious doubts about your software testing process. are you releasing totally untested code? can we trust your releases in the future, will you change sth in your process?
The testing that gets done is not done from "released" tarballs, but from subversion checkouts. This was a bug in the process that created the tarball from a checkout, and not in the underlying Zope software itself. I *think* it also affected only those who build and install Zope as root, although I can't tell for sure, since the tarballs have been replaced. At any rate, I *never* build, install, or run Zope as root, and hence would never have noticed the problem, even if I were doing the releases myself.
Following up to myself, as I had wrongly assumed that this problem was related to file permissions in the tarball (only an issue on the 2.8 branch, apparanetly). *I* introduced the bug here, by failiing to add a REQUEST parameter to one method. I *did* test starting the server, but only using 'zopectl fg', and not 'zopectl start', as well as running all the unit and functional tests for each branch before checking in. As a process fix: we should be adding functional tests which exercise the 'start', 'restart', 'fg', etc. verbs of 'zopectl'. Mea culpa. I owe the wine or equivalent comestibles to Andreas and Martijn. Tres. - -- =================================================================== Tres Seaver +1 540-429-0999 tseaver@palladion.com Palladion Software "Excellence by Design" http://palladion.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGCDWr+gerLs4ltQ4RAsV7AJ42IAyzEHHfWbO3FZt1PO2bq2lfxwCgxTq6 T35Lkae75xAyvj5B651dNNI= =vmcK -----END PGP SIGNATURE-----
On 3/26/07, Tres Seaver <tseaver@palladion.com> wrote:
Releasing software as a security fix that does not even start makes you look like a moron, I am sorry to say.
Calling people morons makes you look like one, I'm afraid. The bug had only indirectly to do with the recent security fix. The startup problem only occurred when running Zope in managed mode, something most developers never do because you normally want to see the Zope log output when developing, so you catch problems early. So the problem was limited to a special-cased method declaration that only gets run in a deployment setting. This was one of those rare cases of bad luck, as the developer in question was not aware of the fact that this one special-cased method was not covered by a unit or functional test. -- Martijn Pieters
--On 26. März 2007 16:49:30 -0400 Tres Seaver <tseaver@palladion.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Marc Balmer wrote:
Andreas Jung wrote:
I uploaded corrected versions of the Zope 2.9.7 and 2.10.3 tar-balls. The tar-balls released yesterday contained a bug that caused a startup failure when using "zopectl start".
don't do this again.
Don't do what? I was about to agree, as I don't think re-releasing under the same version number was correct: the new releases should be 2.9.7.1, 2.10.3.1, or something similary (or bump to 2.9.8, 2.10.4).
Creating a new release takes me about 45 minutes for each release..time I don't have this week before my vacation. So my decision should be acceptable for the Zope world - perhaps not for the packagers...anyway things happen...
this bug is so obvious to catch that I have some serious doubts about your software testing process. are you releasing totally untested code? can we trust your releases in the future, will you change sth in your process?
The testing that gets done is not done from "released" tarballs, but from subversion checkouts. This was a bug in the process that created the tarball from a checkout, and not in the underlying Zope software itself. I *think* it also affected only those who build and install Zope as root, although I can't tell for sure, since the tarballs have been replaced. At any rate, I *never* build, install, or run Zope as root, and hence would never have noticed the problem, even if I were doing the releases myself.
I usually test the tar-balls but only using "zopectl fg" which did not show any errors for the three releases. Andreas
participants (3)
-
Andreas Jung -
Martijn Pieters -
Tres Seaver