[RFC] Remove older freetype versions

[RFC] Remove older freetype versions

[Tom Rini]

Hey all,

I'd like to remove all versions of freetype before 2.4.3.  The only dist 
which is pinning freetype currently does so via
conf/distro/include/preferred-opie-versions.inc and that pins to a 
non-existent version (it's using OPIE_VERSION which seems wrong).  All 
of the previous versions have various security issues, including 
remotely exploitable ones.  Only the very oldest version we have as a 
D_P -1 so everyone was using 2.3.12 and will be going up to 2.4.3 
(libraries are compat).

-- 
Tom Rini
Mentor Graphics Corporation

Re: [RFC] Remove older freetype versions

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12-10-10 18:26, Tom Rini wrote:
> Hey all,
> 
> I'd like to remove all versions of freetype before 2.4.3.  The only dist
> which is pinning freetype currently does so via
> conf/distro/include/preferred-opie-versions.inc and that pins to a
> non-existent version (it's using OPIE_VERSION which seems wrong).  All
> of the previous versions have various security issues, including
> remotely exploitable ones.  Only the very oldest version we have as a
> D_P -1 so everyone was using 2.3.12 and will be going up to 2.4.3
> (libraries are compat).

Speaking of freetype, the bytecode patent expired, so we can turn that
on and get nicer text :)

And removing older freetypes is a good idea

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFMtI/NMkyGM64RGpERAqDrAKCWutxfdYArulFqTU2ws2hyCNVeEwCfbVjn
vn8FRMOthyeFvYaGR1ZsLbs=
=LHiZ
-----END PGP SIGNATURE-----

Re: [RFC] Remove older freetype versions

[Philip Balister]

On 10/12/2010 12:41 PM, Koen Kooi wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12-10-10 18:26, Tom Rini wrote:
>> Hey all,
>>
>> I'd like to remove all versions of freetype before 2.4.3.  The only dist
>> which is pinning freetype currently does so via
>> conf/distro/include/preferred-opie-versions.inc and that pins to a
>> non-existent version (it's using OPIE_VERSION which seems wrong).  All
>> of the previous versions have various security issues, including
>> remotely exploitable ones.  Only the very oldest version we have as a
>> D_P -1 so everyone was using 2.3.12 and will be going up to 2.4.3
>> (libraries are compat).
>
> Speaking of freetype, the bytecode patent expired, so we can turn that
> on and get nicer text :)
>
> And removing older freetypes is a good idea

I'd like to point people at openwmbedded/removal.txt. This would be a 
good place to schedule things for deletion. As in I added a new version 
and made it active, but do not want to delete the older version for a 
couple of months just in case something crops up. So leave a note in 
removal.txt to look are removing a recipe on a certain date.

Philip

Re: [RFC] Remove older freetype versions

[Tom Rini]

Philip Balister wrote:
> On 10/12/2010 12:41 PM, Koen Kooi wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 12-10-10 18:26, Tom Rini wrote:
>>> Hey all,
>>>
>>> I'd like to remove all versions of freetype before 2.4.3.  The only dist
>>> which is pinning freetype currently does so via
>>> conf/distro/include/preferred-opie-versions.inc and that pins to a
>>> non-existent version (it's using OPIE_VERSION which seems wrong).  All
>>> of the previous versions have various security issues, including
>>> remotely exploitable ones.  Only the very oldest version we have as a
>>> D_P -1 so everyone was using 2.3.12 and will be going up to 2.4.3
>>> (libraries are compat).
>>
>> Speaking of freetype, the bytecode patent expired, so we can turn that
>> on and get nicer text :)
>>
>> And removing older freetypes is a good idea
> 
> I'd like to point people at openwmbedded/removal.txt. This would be a 
> good place to schedule things for deletion. As in I added a new version 
> and made it active, but do not want to delete the older version for a 
> couple of months just in case something crops up. So leave a note in 
> removal.txt to look are removing a recipe on a certain date.

In general, good idea.  But we've been doing things a lot quicker more 
recently.  And I'd like to not wait for a long time for security related 
items.

-- 
Tom Rini
Mentor Graphics Corporation

Re: [RFC] Remove older freetype versions

[Frans Meulenbroeks]

2010/10/12 Tom Rini <tom_rini@mentor.com>:
> Philip Balister wrote:
>>
>> On 10/12/2010 12:41 PM, Koen Kooi wrote:
>>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 12-10-10 18:26, Tom Rini wrote:
>>>>
>>>> Hey all,
>>>>
>>>> I'd like to remove all versions of freetype before 2.4.3.  The only dist
>>>> which is pinning freetype currently does so via
>>>> conf/distro/include/preferred-opie-versions.inc and that pins to a
>>>> non-existent version (it's using OPIE_VERSION which seems wrong).  All
>>>> of the previous versions have various security issues, including
>>>> remotely exploitable ones.  Only the very oldest version we have as a
>>>> D_P -1 so everyone was using 2.3.12 and will be going up to 2.4.3
>>>> (libraries are compat).
>>>
>>> Speaking of freetype, the bytecode patent expired, so we can turn that
>>> on and get nicer text :)
>>>
>>> And removing older freetypes is a good idea
>>
>> I'd like to point people at openwmbedded/removal.txt. This would be a good
>> place to schedule things for deletion. As in I added a new version and made
>> it active, but do not want to delete the older version for a couple of
>> months just in case something crops up. So leave a note in removal.txt to
>> look are removing a recipe on a certain date.
>
> In general, good idea.  But we've been doing things a lot quicker more
> recently.  And I'd like to not wait for a long time for security related
> items.

I agree with Tom on this, especially for security related issues.
I'd say removal.txt is mostly for removal of distro's, last versions
of recipes etc.
removal of older minor versions is imho at the discretion of the
maintainer of a recipe (and if there is none known, I feel it is best
judgement)
for majors some additional care is to be taken, but when it comes to
security related issues, I feel we should give priority to security.
Maybe we should discuss the removal policy at OEDEM.

Meanwhile for this proposal:
Acked-by: Frans Meulenbroeks <fransmeulenbroeks@gmail.com>

Re: [RFC] Remove older freetype versions

[Martin Jansa]

On Tue, Oct 12, 2010 at 09:26:57AM -0700, Tom Rini wrote:
> Hey all,
> 
> I'd like to remove all versions of freetype before 2.4.3.  The only dist 
> which is pinning freetype currently does so via
> conf/distro/include/preferred-opie-versions.inc and that pins to a 
> non-existent version (it's using OPIE_VERSION which seems wrong).  All 
> of the previous versions have various security issues, including 
> remotely exploitable ones.  Only the very oldest version we have as a 
> D_P -1 so everyone was using 2.3.12 and will be going up to 2.4.3 
> (libraries are compat).

Acked-by: Martin Jansa <Martin.Jansa@gmail.com>

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com