1 |
On 7/6/16 7:23 AM, Aaron Bauman wrote: |
2 |
> On Wednesday, July 6, 2016 8:15:24 PM JST, Anthony G. Basile wrote: |
3 |
>> On 7/6/16 6:54 AM, Aaron Bauman wrote: |
4 |
>>> On Wednesday, July 6, 2016 5:10:25 PM JST, Anthony G. Basile wrote: ... |
5 |
>> |
6 |
>> Except that I state such facts BEFORE the p.mask and you ignored it. |
7 |
>> Referring to bug #473770: |
8 |
>> |
9 |
>> <Comment #2> |
10 |
>> |
11 |
>> (In reply to Anthony Basile from comment #1) |
12 |
>>> The CVE for this has gone nowhere. See |
13 |
>>> |
14 |
>>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 |
15 |
>>> |
16 |
>>> There are no references and I can't get at the upstream bug report |
17 |
>>> anymore |
18 |
>>> since they moved to github. |
19 |
>> |
20 |
>> Actually, I found it. Its fixed: |
21 |
>> |
22 |
>> https://github.com/monkey/monkey/issues/93 |
23 |
>> |
24 |
>> </Comment #2> |
25 |
>> |
26 |
>> <Comment #3> |
27 |
>> |
28 |
>> Aaron Bauman gentoo-dev Security 2016-07-01 01:39:40 UTC |
29 |
>> |
30 |
>> # Aaron Bauman <bman@g.o> (1 Jul 2016) |
31 |
>> # Unpatched security vulnerabilities and dead upstream |
32 |
>> # per bugs #459274 and #473770 Removal in 30 days |
33 |
>> www-servers/monkeyd |
34 |
>> |
35 |
>> </Comment #3> |
36 |
>> |
37 |
>> |
38 |
>> People reading following this can clearly see the problem here. |
39 |
>> |
40 |
>> I'm also disappointed that no one else in the security team has |
41 |
>> recommended any internal policing in response to this. I maintain that |
42 |
>> forced p.masking and version bumping should not be done by the security |
43 |
>> team but passed to QA for review. Only QA is mandated with such powers |
44 |
>> by GLEP 48. |
45 |
>> |
46 |
> |
47 |
> What kind of policing would you like to see councilman? |
48 |
|
49 |
Policing also has the meaning of policy-ing. I'd like to see better |
50 |
policies within the security team for escalation of security bugs. I'm |
51 |
suggesting passing the review onto QA, but it looks like K_F (from his |
52 |
other email) has other ideas which may better for a workflow. |
53 |
|
54 |
|
55 |
> Would you like |
56 |
> to see me removed from the project, because your precious package was |
57 |
> p.masked? |
58 |
|
59 |
I never said anything to that effect. I'm arguing a point for better |
60 |
policy-ing and I'm not satisfied by your solution that developers need |
61 |
to just better document when a security issue is fixed. |
62 |
|
63 |
monkeyd is an important package. |
64 |
|
65 |
> You have ignored every thing I have said regarding your |
66 |
> inability to work with the security team. Even after an apology from me |
67 |
> and a request to work with us you continue on with the rhetoric of |
68 |
> powers. It displays a lot about your inability to work with others. |
69 |
|
70 |
The problem is not an apology which I appreciate. The problem is we |
71 |
need better expectations of when a package is going to get p.masked on |
72 |
you. p.masking a package which a notice of 30 days until removal sends |
73 |
a very bad message to users who depend on it. Proceeding as the |
74 |
security team has, there is no way for a developer to know what's about |
75 |
to happen. Consider, I thought I'd answered the issue with bug #473770 |
76 |
with comment #2. |
77 |
|
78 |
> |
79 |
> No other developer is complaining... it is *literally* only you. |
80 |
> NP-Hardass's case was not even a security bug nor handled by the |
81 |
> security team. One of the bugs for monkeyd led to additional discovery |
82 |
> of insecurities regarding log files, but it took a p.mask to get your |
83 |
> attention. Quit pushing an agenda and work with others to make Gentoo |
84 |
> more secure. Everyone else is. |
85 |
> |
86 |
>> |
87 |
|
88 |
It doesn't matter, there is a problem here which needs to be addressed. |
89 |
I'm complaining because we need to fix a problem in our workflow. It |
90 |
sounds like K_F is working on a glep for that, which I applaud. |
91 |
|
92 |
> |
93 |
> |
94 |
|
95 |
|
96 |
-- |
97 |
Anthony G. Basile, Ph.D. |
98 |
Gentoo Linux Developer [Hardened] |
99 |
E-Mail : blueness@g.o |
100 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
101 |
GnuPG ID : F52D4BBA |