On 09/26/2010 07:51 AM, Volker Armin Hemmann wrote:
> so there has been roughly a week so far.

Agreed - 10 days was the figure I mentioned.  So far we're 7 over the
target of 3.  Most major distros did it in less than 1.

> 
> And the bug is not that dangerous - except when you insist on running unsecure 
> 32bit software on a 64bit system.
> 

I didn't realize that multilib amd64 wasn't a security-supported
configuration of Gentoo.  Perhaps that should be documented somewhere -
like the amd64 handbook, and the multilib howto.  The security page
probably should also be updated - to indicate that amd64 is a supported
arch only without multilib.

Note that you don't need to RUN any 32-bit software to be insecure - you
merely need to have support for it enabled in the kernel config.

Look, either multilib is supported, or it isn't.  If it isn't, that's a
pretty big caveat that we don't document ANYWHERE.  If it is, then we
have to fix bugs in line with the security guidelines.

I'm just asking for us to be up-front with our policies, and to follow
them.  If we don't support multilib amd64, fine.  If we do support it,
then we need to support it.

Rich