[pulseaudio-discuss] Example using async API

Colin Guthrie gmane at colin.guthr.ie
Wed Oct 14 00:50:43 PDT 2009


'Twas brillig, and Nix at 14/10/09 00:24 did gyre and gimble:
> That requires me to be permanently present on IRC. I'm stuck commuting
> and have to sleep so this is impractical.

I'm on IRC 24/7 and yet I do both of those things too. It's not 
impractical, but I don't think it should be seen as a primary source of 
info either. This list is that. IRC is just convenient.

>> The current system works quite well I'd say -- for the distros. You
> 
> for the distros *you choose to communicate with*, and we don't even know
> who they are: it may even be a matter of whim. Everyone else is screwed.

Well FWIW, the current system works fine for me too. Sure Lennart may 
ping me on IRC but all the info is on the list too.

>> think there's more than distros that matters. I don't. So why should I
>> do the additional work and you don't?
> 
> One Cc:? 'Additional work'? I'm sorry, I assumed that running a
> very-low-volume one-posting-subscriber mailing list was essentially no
> work if you were already running several higher-volume ones. I didn't
> realise it was immensely difficult.

Pulseaudio is not a simple app and when people see an announce list they 
may be tempted to think: "ahh new version, upgrade time \o/". It's 
deeply integrated into stack, and synced with various other components 
including the kernel and udev. An announce list would just encourage 
people to bash on and try and upgrade without understanding things 
fully. This list is not particularly high traffic and I think a separate 
list would only encourage these "drive by" experiences which we should 
be discouraging (as someone who often advices people on IRC and this 
list, I'd say it's one of the most frustrating things I have to deal with).

>> Also, Colin maintains a -stable branch, which also includes the
>> security fixes -- not sure what more you need?
> 
> Aha. I didn't notice that these were still active: indeed the recent
> security fix doesn't seem to have gone into the older one. I guess this
> means that what I'm hoping for *is* there... except that it's not
> publicised anywhere.

It's been announced on this list and the git tree speaks for itself. All 
the distros know it's there.

> Aha. From your phrasing I thouht it was being sent *only* to
> distributors, not to distributors and this list. (I can't recall any
> security-related announcements ever being made to this list. Certainly
> the patching of the recent actively-exploited PA hole wasn't announced
> here.)

What recent actively-exploited PA hole that wasn't announced do you 
refer to? The only one I know off was announced on this list, so this is 
slightly concerning to me and I'd agree that this is an issue if there 
is something not actively discussed/announced here. Doesn't mean there 
should be a separate list tho', and if this list hasn't had mention of 
this issue, then it's highly likely that this other new list would have 
either!

> This is the biggest problem in the free software world, really:
> responding to criticisms of major flaws with utterly trivial fixes with
> 'oh, you do that then'. Adding one email address to a Cc: to help all
> users of your software avoid security problems is not rocket science and
> takes zero effort as far as I can see, but you responded like I was
> suggesting you paint the ceiling of the Sistine Chapel, with proposed
> fixes which involved *insane* amounts of effort (24x7 presence on an IRC
> channel come-what-may and scanning all the traffic on that channel to
> spot a non-automatically-detectable notice which might come up once in
> six months, if that? Come on!)

You're comments above assumes that such a list should be encouraged in 
the first place.... OK a security-only list would not encourage bad 
behaviour like an announce list would, but to be honest, the one or two 
posts on it in the last four years probably wouldn't encourage people to 
sign up to such a list anyway.

I'm on enough lists. I'd rather just use this one personally.

> If you really think that upstream PA is only usable by distributors,
> that's fine: everyone else should for security's sake drop it and
> encourage every program that currently uses it to drop support for it as
> well (otherwise they are opening all their users who do not use your
> preferred distros to potential security threats).
> 
> A shame. It's fine software, better than any other desktop sound system
> I've ever used, but it seems it's not safe to use unless I'm in the
> right club or have infinite amounts of free time to use to follow
> everything you do in micrometric detail.

You're totally overreacting. Are you really going to stop using a piece 
of software because one or two emails were not sent to a specific list 
designed specifically to receive this handful of email? This list serves 
me and others perfectly well, so your opinions are not shared by everyone.

Col


-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
   Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
   Mandriva Linux Contributor [http://www.mandriva.com/]
   PulseAudio Hacker [http://www.pulseaudio.org/]
   Trac Hacker [http://trac.edgewall.org/]




More information about the pulseaudio-discuss mailing list