| 1 |
On 03/12/2017 03:55 AM, Rich Freeman wrote: |
| 2 |
> On Sat, Mar 11, 2017 at 6:54 PM, Kristian Fiskerstrand <k_f@g.o> wrote: |
| 3 |
>> On 03/11/2017 11:23 PM, Andrew Savchenko wrote: |
| 4 |
>>> |
| 5 |
>>> My point is that users must be informed about security problem, but |
| 6 |
>>> they still should have a choice. So it should be either a rule |
| 7 |
>>> "mask without removal" or clear guidelines when to remove a |
| 8 |
>>> package and when to not. |
| 9 |
>> |
| 10 |
>> At some point, of a package does not belong in the main tree due to |
| 11 |
>> security vulnerabilities, they can still be kept in an overlay by a |
| 12 |
>> respective project without it impacting other users. I'm not convinced |
| 13 |
>> that impacts the overall user experience of other Gentoo users. |
| 14 |
>> |
| 15 |
> |
| 16 |
> Is there any reason that this can't be left to maintainer discretion? |
| 17 |
> The package is masked and clearly advertises its security issue. The |
| 18 |
> user can make an informed choice. Do we really need to force the |
| 19 |
> issue further? What is the benefit to Gentoo in doing so? |
| 20 |
> |
| 21 |
|
| 22 |
In most cases lack of maintainer participation is likely the issue to |
| 23 |
begin with. The primary issue with a package mask of this nature is that |
| 24 |
it is more permanent than temporary in nature. To what extent would |
| 25 |
other package maintainers need to take it into consideration e.g wrt |
| 26 |
depgraph breakages (say this is a lower slotted version or last version |
| 27 |
that supports a specific arch). |
| 28 |
|
| 29 |
Granted that isn't much of an issue from the security point of view, but |
| 30 |
goes more over on QA - the primary reason it isn't explicit in the draft |
| 31 |
GLEP is that specific rules are difficult to write to cover all |
| 32 |
situations and as such needs either a lot of preparation to write or |
| 33 |
will cause issues down the line. The accountability aspects of things is |
| 34 |
therefore more important than the rules themselves. |
| 35 |
|
| 36 |
Quite frankly I thought I left enough of maintainer discretion when |
| 37 |
stating: |
| 38 |
* The Security Project does not want to override the maintainer's |
| 39 |
autonomy, but |
| 40 |
if inactive might be required to fix a security vulnerability by means of |
| 41 |
version bump or application of a patch in a revision bump. |
| 42 |
* If a vulnerability is unlikely to be fixed by upstream or the |
| 43 |
package's maintainer |
| 44 |
it might require a package mask. Such mask should never break the |
| 45 |
stable dependency tree. |
| 46 |
|
| 47 |
-- |
| 48 |
Kristian Fiskerstrand |
| 49 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
| 50 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
Archives