Quake3 security issue and non-responsive maintainer: Xavier Lamien

Przemek Klosowski przemek.klosowski at nist.gov
Tue May 11 23:10:17 UTC 2010

On 05/11/2010 05:26 PM, Jeff Spaleta wrote:
> On Tue, May 11, 2010 at 1:47 AM, Chen Lei<supercyper1 at gmail.com> wrote:
>> It seems a lot of trivial packages in fedora are unmaintained for a long
> I dispute your claim that there are "a lot."
> Yes we are going to have things fall through the cracks. But I've
> seen no analysis and no tools which would help us identify things
> which are in an unmaintained state for long periods of time..for some
> consensus definition of "unmaintained". Until we have that analysis
> we can't know if we are talking about 10% or 1% or 0.01% of our
> packages.

I think the root of the problem is the lack of automated testing
rig, in the sense of, for example, VTK's nightly build dashboard:


We are doing test builds, but we don't have infrastructure to do
automatic application level testing, even for simple things like
starting the application, making sure the window or prompt appears
and checking that a basic command returns an expected result.

I keep stumbling into Fedora packages that simply don't run. Of course
they tend to be not very important, lightly used packages, and the
percentage is probably minuscule, but it's a good example of how
people might become annoyed and make claims like Chen Lei's.

A couple of examples that I reported (one fixed, one to go)

- BLT extension to TCL failed its own tests

- drpython fails to run at all

To protect Fedora's reputation this issue needs to be dealt with. We are
far away from crisis of course, but leaving things on autopilot leads to 
situations like the WUSTL collection in the 80's with thousands of Basic 
programs in various states of disrepair.

This probably means at least a rudimentary application testing rig
and a discipline that identifies and deals with distressed packages.

More information about the devel mailing list