1 |
Hi there, |
2 |
|
3 |
On Wednesday 06 September 2006 12:00, Jonas Fietz wrote: |
4 |
> paul kölle wrote: |
5 |
> > José González Gómez schrieb: |
6 |
> I think a better approach for this would be to have a kind of wiki web |
7 |
> hosted at whatever.gentoo.org, where admins would report their |
8 |
> success/failure using a given version of a package with a given set of use |
9 |
> flags. |
10 |
There already is an unofficial wiki. If you want something more official the |
11 |
new [1] Gentoo Knowledge Base might become what you're looking for. |
12 |
|
13 |
> >> I would like to make a proposal here. What if no longer mantained |
14 |
> >> ebuilds were marked but not deleted? Let's say you have _x86 in |
15 |
> >> KEYWORDS for ebuilds/packages no longer mantained, that emerge is |
16 |
> >> aware of that and can inform us of this and that those ebuilds are |
17 |
> >> mantained in the portage tree for, let's say, a year WITH NO SECURITY |
18 |
> >> BACKPORTS on them. This would be kind of a end of life notice that |
19 |
> >> gives you some time to react. This way you still would be able to use |
20 |
> >> the ebuild at your own risk, and this wouldn't represent much extra |
21 |
> >> work load for the Gentoo devs, as the deletion process could be |
22 |
> >> automatic with the use of some scripts. What do you think? |
23 |
I haven't followed the Sunrise discussion so this might be dead wrong, but I |
24 |
think such ebuilds might have a new and totally unsupported security wise |
25 |
home there. (No flames please) |
26 |
|
27 |
> I am not sure about it, but I think that there are no GLSAs published |
28 |
> for deleted packages, so you would effectively not know if there was a |
29 |
> security problem. By the nature of how GLSAs are written, it might still |
30 |
> be that your version is marked as being vulnerable. (Most of the time it |
31 |
> is "<specific-version") |
32 |
Note that GLSAs are not issued for _all_ issues only those of a given |
33 |
severity. See Gentoo Linux Vulnerability Treatment Policy [1] for further |
34 |
details. |
35 |
|
36 |
[1] http://www.gentoo.org/proj/en/kbase/ |
37 |
[2] http://www.gentoo.org/security/en/vulnerability-policy.xml |
38 |
|
39 |
-- |
40 |
Sune Kloppenborg Jeppesen |
41 |
Gentoo Linux Security Team |