| 1 |
On 7/6/16 6:54 AM, Aaron Bauman wrote: |
| 2 |
> On Wednesday, July 6, 2016 5:10:25 PM JST, Anthony G. Basile wrote: |
| 3 |
>> On 7/5/16 10:52 PM, NP-Hardass wrote: |
| 4 |
>>> I think it is a little bit of a stretch to say that he's the only one to |
| 5 |
>>> have an issue. Now, I've spoken with the parties involved, so my issue |
| 6 |
>>> is resolved, but I had a package of mine bumped in the name of security |
| 7 |
>>> without being pinged/consulted at all. I'm not attempting to point |
| 8 |
>>> blame at anyone, but merely show that there are others who have been ... |
| 9 |
>> |
| 10 |
>> I agree that a ping is the necessary first step, but I'm afraid of a |
| 11 |
>> dispute between the maintainer and the security team. Bug #459274, |
| 12 |
>> which I discussed in my previous email, should never have been file and |
| 13 |
>> should never have been acted on. If the security team feels they must |
| 14 |
>> touch a package, I'd like to have QA review it. The QA leadership is |
| 15 |
>> ratified by the council and has a long history of dealing with these |
| 16 |
>> sorts of issues which are tried and true. |
| 17 |
>> |
| 18 |
>> |
| 19 |
> |
| 20 |
> So just state such facts, as you did following the p.mask, and all would |
| 21 |
> be well. It really has been and continues to be that simple. |
| 22 |
> |
| 23 |
|
| 24 |
Except that I state such facts BEFORE the p.mask and you ignored it. |
| 25 |
Referring to bug #473770: |
| 26 |
|
| 27 |
<Comment #2> |
| 28 |
|
| 29 |
(In reply to Anthony Basile from comment #1) |
| 30 |
> The CVE for this has gone nowhere. See |
| 31 |
> |
| 32 |
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 |
| 33 |
> |
| 34 |
> There are no references and I can't get at the upstream bug report anymore |
| 35 |
> since they moved to github. |
| 36 |
|
| 37 |
Actually, I found it. Its fixed: |
| 38 |
|
| 39 |
https://github.com/monkey/monkey/issues/93 |
| 40 |
|
| 41 |
</Comment #2> |
| 42 |
|
| 43 |
<Comment #3> |
| 44 |
|
| 45 |
Aaron Bauman gentoo-dev Security 2016-07-01 01:39:40 UTC |
| 46 |
|
| 47 |
# Aaron Bauman <bman@g.o> (1 Jul 2016) |
| 48 |
# Unpatched security vulnerabilities and dead upstream |
| 49 |
# per bugs #459274 and #473770 Removal in 30 days |
| 50 |
www-servers/monkeyd |
| 51 |
|
| 52 |
</Comment #3> |
| 53 |
|
| 54 |
|
| 55 |
People reading following this can clearly see the problem here. |
| 56 |
|
| 57 |
I'm also disappointed that no one else in the security team has |
| 58 |
recommended any internal policing in response to this. I maintain that |
| 59 |
forced p.masking and version bumping should not be done by the security |
| 60 |
team but passed to QA for review. Only QA is mandated with such powers |
| 61 |
by GLEP 48. |
| 62 |
|
| 63 |
|
| 64 |
-- |
| 65 |
Anthony G. Basile, Ph.D. |
| 66 |
Gentoo Linux Developer [Hardened] |
| 67 |
E-Mail : blueness@g.o |
| 68 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 69 |
GnuPG ID : F52D4BBA |
Archives