1 |
On 7/6/16 6:54 AM, Aaron Bauman wrote: |
2 |
> On Wednesday, July 6, 2016 5:10:25 PM JST, Anthony G. Basile wrote: |
3 |
>> On 7/5/16 10:52 PM, NP-Hardass wrote: |
4 |
>>> I think it is a little bit of a stretch to say that he's the only one to |
5 |
>>> have an issue. Now, I've spoken with the parties involved, so my issue |
6 |
>>> is resolved, but I had a package of mine bumped in the name of security |
7 |
>>> without being pinged/consulted at all. I'm not attempting to point |
8 |
>>> blame at anyone, but merely show that there are others who have been ... |
9 |
>> |
10 |
>> I agree that a ping is the necessary first step, but I'm afraid of a |
11 |
>> dispute between the maintainer and the security team. Bug #459274, |
12 |
>> which I discussed in my previous email, should never have been file and |
13 |
>> should never have been acted on. If the security team feels they must |
14 |
>> touch a package, I'd like to have QA review it. The QA leadership is |
15 |
>> ratified by the council and has a long history of dealing with these |
16 |
>> sorts of issues which are tried and true. |
17 |
>> |
18 |
>> |
19 |
> |
20 |
> So just state such facts, as you did following the p.mask, and all would |
21 |
> be well. It really has been and continues to be that simple. |
22 |
> |
23 |
|
24 |
Except that I state such facts BEFORE the p.mask and you ignored it. |
25 |
Referring to bug #473770: |
26 |
|
27 |
<Comment #2> |
28 |
|
29 |
(In reply to Anthony Basile from comment #1) |
30 |
> The CVE for this has gone nowhere. See |
31 |
> |
32 |
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 |
33 |
> |
34 |
> There are no references and I can't get at the upstream bug report anymore |
35 |
> since they moved to github. |
36 |
|
37 |
Actually, I found it. Its fixed: |
38 |
|
39 |
https://github.com/monkey/monkey/issues/93 |
40 |
|
41 |
</Comment #2> |
42 |
|
43 |
<Comment #3> |
44 |
|
45 |
Aaron Bauman gentoo-dev Security 2016-07-01 01:39:40 UTC |
46 |
|
47 |
# Aaron Bauman <bman@g.o> (1 Jul 2016) |
48 |
# Unpatched security vulnerabilities and dead upstream |
49 |
# per bugs #459274 and #473770 Removal in 30 days |
50 |
www-servers/monkeyd |
51 |
|
52 |
</Comment #3> |
53 |
|
54 |
|
55 |
People reading following this can clearly see the problem here. |
56 |
|
57 |
I'm also disappointed that no one else in the security team has |
58 |
recommended any internal policing in response to this. I maintain that |
59 |
forced p.masking and version bumping should not be done by the security |
60 |
team but passed to QA for review. Only QA is mandated with such powers |
61 |
by GLEP 48. |
62 |
|
63 |
|
64 |
-- |
65 |
Anthony G. Basile, Ph.D. |
66 |
Gentoo Linux Developer [Hardened] |
67 |
E-Mail : blueness@g.o |
68 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
69 |
GnuPG ID : F52D4BBA |