1 |
On 09/26/2010 07:51 AM, Volker Armin Hemmann wrote: |
2 |
> so there has been roughly a week so far. |
3 |
|
4 |
Agreed - 10 days was the figure I mentioned. So far we're 7 over the |
5 |
target of 3. Most major distros did it in less than 1. |
6 |
|
7 |
> |
8 |
> And the bug is not that dangerous - except when you insist on running unsecure |
9 |
> 32bit software on a 64bit system. |
10 |
> |
11 |
|
12 |
I didn't realize that multilib amd64 wasn't a security-supported |
13 |
configuration of Gentoo. Perhaps that should be documented somewhere - |
14 |
like the amd64 handbook, and the multilib howto. The security page |
15 |
probably should also be updated - to indicate that amd64 is a supported |
16 |
arch only without multilib. |
17 |
|
18 |
Note that you don't need to RUN any 32-bit software to be insecure - you |
19 |
merely need to have support for it enabled in the kernel config. |
20 |
|
21 |
Look, either multilib is supported, or it isn't. If it isn't, that's a |
22 |
pretty big caveat that we don't document ANYWHERE. If it is, then we |
23 |
have to fix bugs in line with the security guidelines. |
24 |
|
25 |
I'm just asking for us to be up-front with our policies, and to follow |
26 |
them. If we don't support multilib amd64, fine. If we do support it, |
27 |
then we need to support it. |
28 |
|
29 |
Rich |