Discussion:
[mantisbt-dev] 1.2.18 release
Damien Regad
2014-10-18 22:23:11 UTC
Permalink
Paul,

As you know we have several open security issues including some fairly
critical ones. I have fixes ready to go for the most recent ones, and to
close the loop I want to release 1.2.18 as soon as possible.

*I remind you that you owe us a series of security fixes since May*, and
you agreed earlier this week on IRC [1] to send them to me via e-mail by
Friday.

It is now late Saturday (early Sunday actually), and I still haven't
received anything from you. To be blunt:

YOU ARE BLOCKING A SECURITY RELEASE

This is really unprofressional. Please act responsibly, and put on hold
some of the trivialities you've been working on for the past few
weeks/months for the few minutes it will take to send me patches. And
please don't give me any of that shit again about your SSH access.

Damien

[1]
http://www.mantisbt.org/irclogs/mantisbt/2014/mantisbt.2014-10-15.log.html
P Richards
2014-10-18 23:09:32 UTC
Permalink
Apparently your email address doesn't work correctly - at least (rather
amusingly) google isn't allowing a google user to email another google user:

Delivery to the following recipient failed permanently:

***@mantisbt.org

Technical details of permanent failure:
Message rejected by Google Groups. Please visit
http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review
our Bulk Email Senders Guidelines.

----- Original message -----

X-Received: by 10.180.85.102 with SMTP id g6mr8889617wiz.54.1413672671965;
Sat, 18 Oct 2014 05:51:11 -0700 (PDT)
Return-Path: <***@mantisforge.org>
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com.
[209.85.212.175])
by mx.google.com with ESMTPS id
r8si3539198wiy.73.2014.10.18.15.51.11
for <***@mantisbt.org>
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 18 Oct 2014 05:51:11 -0700 (PDT)
Received-SPF: none (google.com: ***@mantisforge.org does not designate
permitted sender hosts) client-ip=209.85.212.175;
Authentication-Results: mx.google.com;
spf=neutral (google.com: ***@mantisforge.org does not designate
permitted sender hosts) smtp.mail=***@mantisforge.org
Received: by mail-wi0-f175.google.com with SMTP id d1so4483466wiv.14
for <***@mantisbt.org>; Sat, 18 Oct 2014 05:51:11 -0700 (PDT)

-----Original Message-----
From: Damien Regad [mailto:***@mantisbt.org]
Sent: 18 October 2014 23:23
To: Mantisbt-***@lists.sourceforge.net
Subject: [mantisbt-dev] 1.2.18 release

Paul,

As you know we have several open security issues including some fairly
critical ones. I have fixes ready to go for the most recent ones, and to
close the loop I want to release 1.2.18 as soon as possible.

*I remind you that you owe us a series of security fixes since May*, and you
agreed earlier this week on IRC [1] to send them to me via e-mail by Friday.

It is now late Saturday (early Sunday actually), and I still haven't
received anything from you. To be blunt:

YOU ARE BLOCKING A SECURITY RELEASE

This is really unprofressional. Please act responsibly, and put on hold some
of the trivialities you've been working on for the past few weeks/months for
the few minutes it will take to send me patches. And please don't give me
any of that shit again about your SSH access.

Damien

[1]
http://www.mantisbt.org/irclogs/mantisbt/2014/mantisbt.2014-10-15.log.html


----------------------------------------------------------------------------
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Robert Munteanu
2014-10-20 14:36:05 UTC
Permalink
(Sorry for asking but not contributing to this fix, but .... ) do we
need to wait for Paul's patches or can someone come up with a security
fix?

I think it's not reponsibile towards our users to wait for someone to
produce a security fix for such a long time.

Cheers,

Robert
Post by P Richards
Apparently your email address doesn't work correctly - at least (rather
Message rejected by Google Groups. Please visit
http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to review
our Bulk Email Senders Guidelines.
----- Original message -----
X-Received: by 10.180.85.102 with SMTP id g6mr8889617wiz.54.1413672671965;
Sat, 18 Oct 2014 05:51:11 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com.
[209.85.212.175])
by mx.google.com with ESMTPS id
r8si3539198wiy.73.2014.10.18.15.51.11
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 18 Oct 2014 05:51:11 -0700 (PDT)
permitted sender hosts) client-ip=209.85.212.175;
Authentication-Results: mx.google.com;
Received: by mail-wi0-f175.google.com with SMTP id d1so4483466wiv.14
-----Original Message-----
Sent: 18 October 2014 23:23
Subject: [mantisbt-dev] 1.2.18 release
Paul,
As you know we have several open security issues including some fairly
critical ones. I have fixes ready to go for the most recent ones, and to
close the loop I want to release 1.2.18 as soon as possible.
*I remind you that you owe us a series of security fixes since May*, and you
agreed earlier this week on IRC [1] to send them to me via e-mail by Friday.
It is now late Saturday (early Sunday actually), and I still haven't
YOU ARE BLOCKING A SECURITY RELEASE
This is really unprofressional. Please act responsibly, and put on hold some
of the trivialities you've been working on for the past few weeks/months for
the few minutes it will take to send me patches. And please don't give me
any of that shit again about your SSH access.
Damien
[1]
http://www.mantisbt.org/irclogs/mantisbt/2014/mantisbt.2014-10-15.log.html
----------------------------------------------------------------------------
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
--
http://robert.muntea.nu/
P Richards
2014-10-20 17:25:44 UTC
Permalink
Damien doesn't accept a patch via email, and I'm hesistant to put in a PR
for a security issue. Someone(damien) removed by access to github on
Saturday (and still hasn't said anything) - so it's not possible to even
commit security fixes.

The last security update that I did for 1.2 and got put into a release was
credited to someone else and I wasn't acknowledged for it in any way, so,
hence wanting to push a git branch somewhere where the same thing won't be
done again.

When I did try sending an email to ***@mantisbt.org it returned a
permanent failure, so...

Paul

-----Original Message-----
From: Robert Munteanu [mailto:***@gmail.com]
Sent: 20 October 2014 15:36
To: developer discussions
Subject: Re: [mantisbt-dev] 1.2.18 release

(Sorry for asking but not contributing to this fix, but .... ) do we need to
wait for Paul's patches or can someone come up with a security fix?

I think it's not reponsibile towards our users to wait for someone to
produce a security fix for such a long time.

Cheers,

Robert
Post by P Richards
Apparently your email address doesn't work correctly - at least (rather
Message rejected by Google Groups. Please visit
http://mail.google.com/support/bin/answer.py?hl=en&answer=188131 to
review our Bulk Email Senders Guidelines.
----- Original message -----
X-Received: by 10.180.85.102 with SMTP id g6mr8889617wiz.54.1413672671965;
Sat, 18 Oct 2014 05:51:11 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com.
[209.85.212.175])
by mx.google.com with ESMTPS id
r8si3539198wiy.73.2014.10.18.15.51.11
(version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
Sat, 18 Oct 2014 05:51:11 -0700 (PDT)
designate permitted sender hosts) client-ip=209.85.212.175;
Authentication-Results: mx.google.com;
Received: by mail-wi0-f175.google.com with SMTP id d1so4483466wiv.14
-----Original Message-----
Sent: 18 October 2014 23:23
Subject: [mantisbt-dev] 1.2.18 release
Paul,
As you know we have several open security issues including some fairly
critical ones. I have fixes ready to go for the most recent ones, and
to close the loop I want to release 1.2.18 as soon as possible.
*I remind you that you owe us a series of security fixes since May*,
and you agreed earlier this week on IRC [1] to send them to me via e-mail
by Friday.
Post by P Richards
It is now late Saturday (early Sunday actually), and I still haven't
YOU ARE BLOCKING A SECURITY RELEASE
This is really unprofressional. Please act responsibly, and put on
hold some of the trivialities you've been working on for the past few
weeks/months for the few minutes it will take to send me patches. And
please don't give me any of that shit again about your SSH access.
Damien
[1]
http://www.mantisbt.org/irclogs/mantisbt/2014/mantisbt.2014-10-15.log.
html
----------------------------------------------------------------------
------
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
----------------------------------------------------------------------
-------- Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
--
http://robert.muntea.nu/

----------------------------------------------------------------------------
--
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
mantisbt-dev mailing list
mantisbt-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mantisbt-dev
Damien Regad
2014-10-20 21:54:02 UTC
Permalink
Post by P Richards
Damien doesn't accept a patch via email
???
I repeatedly asked you to send me the patches by e-mail, so why do you
say I don't accept them ?
Post by P Richards
The last security update that I did for 1.2 and got put into a release was
credited to someone else and I wasn't acknowledged for it in any way, so,
hence wanting to push a git branch somewhere where the same thing won't be
done again.
That's somewhat out of topic, but I find your comment amusing, coming
from someone who frequently commits other people's work under their own
name...
Post by P Richards
permanent failure, so...
Strangely enough, you seem to be the only person having issues with my
e-mail - I'm receving plenty of messages from many people on this
address everyday, so I'm quite sure there are no issues on my end.

And I'd say the problems are seemingly random, too, since I've even
received 2 e-mails from you on 19-Oct (subject 'moo1' and 'FW: Delivery
Status Notification (Failure)')

So I suggest you try to send these patches again.

Alternatively, as suggested by someone else before, fix your mantisforge
gitlab, and give me access to whatever private branch you want over there.
Loading...