Trac 0.12.5 "soon" ... and 1.0.1, 1.1.1 as well

[Christian Boos]

Hello,

The little issue we had with to_json (#10877) is not just affecting
0.12.4 but also 1.0, of course.

1.0 had its own serious regression (#10840 - Zip source download fails
for large directories). 1.0.1 fixes this and comes with some additional
polish (e.g. #10871 - Improve custom list fields to behave like keywords).

And 1.1.1 has a few nice features (e.g. #1942 - Add support for date
type in custom ticket fields, #10854 - Batch modify custom time ticket
field).

So, I think that even if there's not many tickets fixed yet, all these
milestones are close to be in a releasable state. Some general testing
and feedback on the last pending tickets would be welcome.

http://trac.edgewall.org/query?status=!closed&milestone=0.12.5&milestone=1.0.1&milestone=1.1.1

I'm not sure it's worth making betas: if there's really a need to fix
something we could just make a follow-up release (e.g. 0.12.5.1). As for
the time frame, end of this week seems possible for me.

-- Christian

[Felix Schwarz]

Hi Christian,

Am 08.10.2012 23:00, schrieb Christian Boos:
> I'm not sure it's worth making betas: if there's really a need to fix
> something we could just make a follow-up release (e.g. 0.12.5.1). As for
> the time frame, end of this week seems possible for me.

At least for 0.12.5 I don't think that's necesary.

Could you please include the md5 sum in your email announcement? Last time
only 1.0 was mentioned. Ideally the md5 hash file would be signed with GPG.

Use case: I'm a Fedora packager and when updating Trac I have to be
extra-careful about adding new source packages. I'd like to verify that the
downloaded source was not altered in any way.

fs

[Steffen Hoffmann]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08.10.2012 23:08, Felix Schwarz wrote:
...

> Ideally the md5 hash file would be signed with GPG.
>
> Use case: I'm a Fedora packager and when updating Trac I have to be
> extra-careful about adding new source packages. I'd like to verify that the
> downloaded source was not altered in any way.

+1, even if few people care, I do as well.

Steffen Hoffmann
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlBzRWMACgkQ31DJeiZFuHf41gCffrMmf3N4CgiF0764+7G3uqgV
XK0AoOS1xAuoP+AQt0akiCHEIIgpGtLe
=Cx5A
-----END PGP SIGNATURE-----

[Remy Blank]

Felix Schwarz wrote:
> Could you please include the md5 sum in your email announcement? Last time
> only 1.0 was mentioned. Ideally the md5 hash file would be signed with GPG.

The md5 hashes can be found on TracDownload, as well as in the download
directory <http://download.edgewall.org/trac/>. Isn't that sufficient?

GPG signing would be nice, yes.

-- Remy

[Felix Schwarz]

Am 08.10.2012 23:51, schrieb Remy Blank:
> Felix Schwarz wrote:
>> Could you please include the md5 sum in your email announcement? Last time
>> only 1.0 was mentioned. Ideally the md5 hash file would be signed with GPG.
>
> The md5 hashes can be found on TracDownload, as well as in the download
> directory <http://download.edgewall.org/trac/>. Isn't that sufficient?

A malicious attacker gains access to the edgewall.org server and can place a
modified source tarball (e.g. containing a backdoor) in the download
directory. Of course he can easily put a matching md5 hash file besides.
Modifying the Trac database so TracDownload displays the same (bad) hash
should be easy in that case.

If you send the info by mail I can check my local inbox for the hash -
unlikely that the same attacker also managed to break into my computer.

Therefore we either need signed hashes or at least hashes via email.

fs