2.10.0 contains some security fixes.

Summary: Backport Pidgin 2.9.0 to Mageia 1 => Backport Pidgin 2.10.0 to Mageia 1

please test in update_testing.

CC: (none) => dmorganec
Assignee: bugsquad => qa-bugs

Thankyou for the new package.

To properly validate we should show that bugs and security fixes actually do fix what they say they do. Can somebody provide testing procedures please?

If none are available we will only be able to check that it appears to work OK, which is not ideal.

CC: (none) => eeeemail

Question : would it have been possible to backport the fixes from 2.10.0 to 2.7.11 ?

CC: (none) => stormi

(In reply to comment #3)
> To properly validate we should show that bugs and security fixes actually do
> fix what they say they do. Can somebody provide testing procedures please?

Does this really make sense? It's like saying that we should check that Firefox 6 really implements everything what it pretends to implement since Firefox 5. Nobody will ever do this.

Upgrading to Pidgin 2.10.0 is much safer than trying to backport fixes to 2.7.11 and then realize that the backport is not complete/broken because it depends on another change.

Because mandriva update in updates to 2.10.0 and now we can update mdv 2010.1 -> mga 1 if we don't do this update.

Because mandriva update in updates to 2.10.0 and now we can update mdv 2010.1 -> mga 1 if we don't do this update.

see: http://svn.mandriva.com/viewvc/packages?view=revision&revision=698446

(In reply to comment #5)
> (In reply to comment #3)
> > To properly validate we should show that bugs and security fixes actually do
> > fix what they say they do. Can somebody provide testing procedures please?
> 
> Does this really make sense? It's like saying that we should check that Firefox
> 6 really implements everything what it pretends to implement since Firefox 5.
> Nobody will ever do this.
> 
> Upgrading to Pidgin 2.10.0 is much safer than trying to backport fixes to
> 2.7.11 and then realize that the backport is not complete/broken because it
> depends on another change.

Firefox is an exception : we had not choice because firefox 4 was unmaintained and there were security issues. Otherwise, the policy applies : only bugfixes, no new features. New features go to backports or to the next release. However, sometimes we ship new versions because backporting the fixes would almost mean recreating the same software minus, and potentially break things. So sometimes using the new upstream version is the most sensible option. But we must not forget that this remains an exception to the common rule. So to answer your question, I think that yes, asking "if" backport the fixes would have been doable makes sense. Now for pidgin, regardless of how doable or sensible backporting the fixes would have been, the fact that Mandriva provided 2.10.0 forces us to follow the same path, so that upgrades still work from Mandriva to Mageia.

(In reply to comment #8)
> Now for pidgin, regardless of how doable or sensible
> backporting the fixes would have been, the fact that Mandriva 
> provided 2.10.0 forces us to follow the same path, so that
> upgrades still work from Mandriva to Mageia.

Just in case my english is ambiguous here : I mean that backporting the fixes for pidgin may have been doable and sensible, or maybe not, I don't know, but whatever the answer, an other consideration makes us package the latest upstream version for this update.

Installing pidgin-silc pulls the following from Core Release
  libsilc1.1_2                   1.1.10       5.mga1        i586
  libsilcclient1.1_3             1.1.10       5.mga1        i586
  silc-toolkit                   1.1.10       5.mga1        i586
The same versions are in Mandriva 2010.2, so it should be ok
for bug 2317, but I will test with the Mandriva version installed later.

CC: (none) => davidwhodgins

Regarding comment 10, on a clean mageia 1 install, I installed pidgin
and all needed dependencies from Mandriva 2010.2, and then updated
from Mageia Core Updates Testing via mgaapplet.

It worked. The three rpm packages (as well as some others like libpurple0)
are still the mdv versions, but it didn't cause the update to fail.

So, as long as the Mageia version number is the same as the Mandriva 2010.2
version number, bug 2317 does not block the update.

(In reply to comment #3)
> Thankyou for the new package.
> 
> To properly validate we should show that bugs and security fixes actually do
> fix what they say they do. Can somebody provide testing procedures please?
> 
> If none are available we will only be able to check that it appears to work OK,
> which is not ideal.

The upstream website gives the list of fixed CVEs :
http://pidgin.im/news/security/

Here is the complete changelog: http://developer.pidgin.im/wiki/ChangeLog

It is huge, so I think we really must limit to test that the program works well for this update.

no regressions for me

CC: (none) => alien

*** Bug 1739 has been marked as a duplicate of this bug. ***

CC: (none) => jan.ciger

testing pidgin-2.10.0-1.1.mga1.src.rpm on i586 complete.

I've been testing for 4 days now, with msn, yahoo, and gmail accounts
with no regressions showing up.

Tested on x86_64. Seems to work just fine :)

CC: (none) => sander.lepik

Also tested OK i586.

It should be alright to validate this now.

SRPM: 	pidgin-2.10.0-1.1.mga1.src.rpm

Advisory:

--------------

This update brings Pidgin 2.10.0 with many security and bug fixes. It also enables proper upgrade from Mandriva 2010 to Mageia 1.

For a complete changelog please see http://developer.pidgin.im/wiki/ChangeLog

For a list of security fixes please see http://pidgin.im/news/security/

--------------


Could somebody from sysadmin please push from core/updates_testing to core/updates.

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Hardware: i586 => All

Every time someone joins a IRC channel, the user list scrolls by one line. This never happened with 2.7.11. Can someone else reproduce this problem?

Hum, it looks like it doesn't even need someone to enter the channel to trigger this. Weird.

cannot reproduce on x86_64 tried various things.

can you show a screenshot?

A screenshot of what? Do you expect to see scrolling in a static image? :)

i donno, i don't know exactly what to look for? is it scrolling up or down or sideways and is the friends list? or channel list? or whatever? i cannot see it, show me a before and after maybe, i donno?

I cannot see this issue you're describing...

(In reply to comment #18)
> Every time someone joins a IRC channel, the user list scrolls by one line. This
> never happened with 2.7.11. Can someone else reproduce this problem?

Not reproducable here, BTW even not under Windows 7 ;)
also not with pidgin-2.9.0 which i was using before on Mageia 1.


Tested pidgin 2.10.0 on x86_64, everything works so far.

CC: (none) => doktor5000

I think what you are seeing is the user list adding the user to the list.

I've sat in #ubuntu for a while and if you scroll down nearer the bottom of the user list it is more noticeable. I don't think its a bug. It is just reorganising the list and you see that in real time.

It's not very smooth, looks like it jumps. For me it's worse when people leave the channel. It's probably something to do with colourising the nicknames.

One thing I did notice though is sometimes it jumps to nicks beginning with E for no apparent reason. If it is a bug, I would imagine it's an upstream bug, they do seem to have had a couple of bugs related to the user list.

They had one which they claim fixed in 2.10.0 where users were displaying multiple times and the list wasn't updating so I suppose they have changed the way it updates.

Created attachment 789 [details]
screenshot of the problem

As you can see, Pidgin started scrolling for no reason. I always keep the list at the very top, because that's where core developers are listed, as they are all channel operators. After a few minutes, the first 3 or 4 channel operators are out of view, and waiting some more tens of minutes, scrolling reached the very bottom of the list. This never happened before.

i push this update or we block it for the moment ?

I'm not able to replicate the problem but there are funny things going on with the nicklist when it updates. They do appear to have been doing some work on the nicklist for other reasons recently.

I vote for push but perhaps Frédéric Buclin could report his issue upstream
here - http://developer.pidgin.im/

Defer to Stormi's judgement.

Maybe before we do so we could check other distro's with 2.10.0 with a livecd, I can do so tomorrow.

I downgraded to 2.7.11. I need and want to see channel operators, and having the list to scroll makes me crazy. Why do we want to push it when we know there is such a regression?

i agree we can't .

can you report the bug upstream so we can follow it ?

Keywords: validated_update => (none)

Upstream bug: http://developer.pidgin.im/ticket/14602

URL: (none) => http://developer.pidgin.im/ticket/14602

It currently prevents proper upgrade from Mandriva (comment 7) and contains security fixes (comment 1).

IMHO the IRC nicklist issues would be better handled in a separate bug report.

Now we understand why I asked whether patching our existing pidgin was doable. When we upgrade to a newer version that is not purely a bugfix release, we always risk to introduce new bugs.

As Claire said, if we don't update, upgrade from Mandriva can fail, which is a critical problem. I perfectly understand how bad it is to have such a regression and how nerve-breaking it can be. Without the constraints of security fixes and upgrade from mandriva, I would delay the update, but here we have to choose the lesser of two evils, unfortunately.

As soon as the upstream project issues a patch for your problem, we will issue an update for it.

Let's give us another 24h hours to try to fix this bug, then we'll push the update. This is not a satisfactory decision, but we need to make it :(

Pidgin 2.9.0 tested in Ubuntu 11.04 and the same strange nicklist behaviour exists there too. That is the latest in the Ubuntu Pidgin PPA.

I have been unable to reproduce the actual scrolling effect Frédéric experiences with either version and I can see who is opped in a channel OK. They are obviously valid concerns though. The nicklist does behave strangely for me, it looks as if it jumps when it updates as people leave a channel.

Bug 2750 has been created regarding the strange nicklist problems, which should allow this to be pushed.

SRPM:     pidgin-2.10.0-1.1.mga1.src.rpm

Advisory:

--------------

This update brings Pidgin 2.10.0 with many security and bug fixes. It also
enables proper upgrade from Mandriva 2010 to Mageia 1.

For a complete changelog please see http://developer.pidgin.im/wiki/ChangeLog

For a list of security fixes please see http://pidgin.im/news/security/

Please note that there is currently an upstream bug report regarding IRC nicklists scrolling down by themselves at http://developer.pidgin.im/ticket/14602 and a matching Mageia bug report at https://bugs.mageia.org/show_bug.cgi?id=2750

--------------

Update validated, please push it (see comment 36)

Keywords: (none) => validated_update

pushed to updates.

Status: NEW => RESOLVED
CC: (none) => boklm
Resolution: (none) => FIXED