1 |
On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <williamh@g.o> wrote: |
2 |
> |
3 |
> I am particularly concerned about packages with known security |
4 |
> vulnerabilities staying in the main tree masked. If people want to keep |
5 |
> using those packages, I don't want to stop them, but packages like this |
6 |
> should not be in the main tree. |
7 |
> |
8 |
|
9 |
Is this policy documented anywhere? If not, I'd be interested in what |
10 |
the general sense of the community is here, and this might be an |
11 |
appropriate topic for the next Council meeting. |
12 |
|
13 |
I guess my question is what harm does it cause to have masked packages |
14 |
in the main tree, where they at least benefit from other forms of QA |
15 |
(eclass fixes, etc)? The mask messages clearly point out the security |
16 |
issues, so anybody who unmasks them is making an informed decision. |
17 |
If they just move to some overlay most likely they won't have any |
18 |
warnings and people will just figure that they're one of 10k other |
19 |
packages that someone doesn't want to bother getting into the tree. |
20 |
|
21 |
I'll go ahead and reply to the council agenda thread with this, and |
22 |
I'd be interested in what the general sense of the rest of the |
23 |
community is here. |
24 |
|
25 |
-- |
26 |
Rich |