1 |
"Stefan Cornelius" <stefan.cornelius@×××××.com> writes: |
2 |
|
3 |
> The maintainer provides a new ebuild, but (s)he is not allowed to |
4 |
> stable of for any architecture, unless (s)he is a member of that |
5 |
> architecture team. So often you have a fixed ebuild within the first |
6 |
> day, but testing and stabling takes some time. (But sometime, you |
7 |
> also have to wait weeks for a patch. But that is another story). |
8 |
> |
9 |
> If this is update is so important to admins, they are welcome to |
10 |
> monitor our bugzilla activity to get 0-sec announcements of fixed |
11 |
> ebuilds. |
12 |
|
13 |
Another possibility is that the version in ~arch already has the fix, |
14 |
so that there might not be a new ebuild. There might be other reasons, |
15 |
such as dependencies on other ~arch packages, for a delay in |
16 |
stabilising the version with the fix. In these cases it would be |
17 |
useful to have a security announcement stating the ~arch version is |
18 |
not vulnerable and giving the reasons why the package cannot be made |
19 |
stable in a timely manner. This would give the administrators enough |
20 |
information to make their own risk assessment as to whether to upgrade to |
21 |
the ~arch version (and all it dependencies) or keep running the |
22 |
vulnerable version until the fix is put into stable. |
23 |
-- |
24 |
gentoo-security@g.o mailing list |