| 1 |
"Stefan Cornelius" <stefan.cornelius@×××××.com> writes: |
| 2 |
|
| 3 |
> The maintainer provides a new ebuild, but (s)he is not allowed to |
| 4 |
> stable of for any architecture, unless (s)he is a member of that |
| 5 |
> architecture team. So often you have a fixed ebuild within the first |
| 6 |
> day, but testing and stabling takes some time. (But sometime, you |
| 7 |
> also have to wait weeks for a patch. But that is another story). |
| 8 |
> |
| 9 |
> If this is update is so important to admins, they are welcome to |
| 10 |
> monitor our bugzilla activity to get 0-sec announcements of fixed |
| 11 |
> ebuilds. |
| 12 |
|
| 13 |
Another possibility is that the version in ~arch already has the fix, |
| 14 |
so that there might not be a new ebuild. There might be other reasons, |
| 15 |
such as dependencies on other ~arch packages, for a delay in |
| 16 |
stabilising the version with the fix. In these cases it would be |
| 17 |
useful to have a security announcement stating the ~arch version is |
| 18 |
not vulnerable and giving the reasons why the package cannot be made |
| 19 |
stable in a timely manner. This would give the administrators enough |
| 20 |
information to make their own risk assessment as to whether to upgrade to |
| 21 |
the ~arch version (and all it dependencies) or keep running the |
| 22 |
vulnerable version until the fix is put into stable. |
| 23 |
-- |
| 24 |
gentoo-security@g.o mailing list |
Archives