1 |
On 03/12/2017 03:55 AM, Rich Freeman wrote: |
2 |
> On Sat, Mar 11, 2017 at 6:54 PM, Kristian Fiskerstrand <k_f@g.o> wrote: |
3 |
>> On 03/11/2017 11:23 PM, Andrew Savchenko wrote: |
4 |
>>> |
5 |
>>> My point is that users must be informed about security problem, but |
6 |
>>> they still should have a choice. So it should be either a rule |
7 |
>>> "mask without removal" or clear guidelines when to remove a |
8 |
>>> package and when to not. |
9 |
>> |
10 |
>> At some point, of a package does not belong in the main tree due to |
11 |
>> security vulnerabilities, they can still be kept in an overlay by a |
12 |
>> respective project without it impacting other users. I'm not convinced |
13 |
>> that impacts the overall user experience of other Gentoo users. |
14 |
>> |
15 |
> |
16 |
> Is there any reason that this can't be left to maintainer discretion? |
17 |
> The package is masked and clearly advertises its security issue. The |
18 |
> user can make an informed choice. Do we really need to force the |
19 |
> issue further? What is the benefit to Gentoo in doing so? |
20 |
> |
21 |
|
22 |
In most cases lack of maintainer participation is likely the issue to |
23 |
begin with. The primary issue with a package mask of this nature is that |
24 |
it is more permanent than temporary in nature. To what extent would |
25 |
other package maintainers need to take it into consideration e.g wrt |
26 |
depgraph breakages (say this is a lower slotted version or last version |
27 |
that supports a specific arch). |
28 |
|
29 |
Granted that isn't much of an issue from the security point of view, but |
30 |
goes more over on QA - the primary reason it isn't explicit in the draft |
31 |
GLEP is that specific rules are difficult to write to cover all |
32 |
situations and as such needs either a lot of preparation to write or |
33 |
will cause issues down the line. The accountability aspects of things is |
34 |
therefore more important than the rules themselves. |
35 |
|
36 |
Quite frankly I thought I left enough of maintainer discretion when |
37 |
stating: |
38 |
* The Security Project does not want to override the maintainer's |
39 |
autonomy, but |
40 |
if inactive might be required to fix a security vulnerability by means of |
41 |
version bump or application of a patch in a revision bump. |
42 |
* If a vulnerability is unlikely to be fixed by upstream or the |
43 |
package's maintainer |
44 |
it might require a package mask. Such mask should never break the |
45 |
stable dependency tree. |
46 |
|
47 |
-- |
48 |
Kristian Fiskerstrand |
49 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
50 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |