| 1 |
On Thu, 30 Jun 2016 22:51:51 -0400 Anthony G. Basile wrote: |
| 2 |
> I'm going to ask the security team to please stop running around |
| 3 |
> p.masking packages without acknowledgement from the maintainers. I'm |
| 4 |
> referring in particular to commit |
| 5 |
> 135b94c85950254f559f290f4865bce8b349a917 regarding monkeyd. Both of the |
| 6 |
> cited "security bugs" were long fixed, and even if the were not, they do |
| 7 |
> not merit masking because they were at best some information leakage |
| 8 |
> with minor impact. I have reverted that commit and would ask that |
| 9 |
> security stop this practice. |
| 10 |
|
| 11 |
Seconded here, the same applies to commit |
| 12 |
61de68f69fdf7dd0aaa53303517c0e59738034c3, since security issues |
| 13 |
doesn't affect most popular use cases, and at least first security |
| 14 |
bug is fixed in [1]. Haven't tested the other bug, though. |
| 15 |
|
| 16 |
The same applies for the tree-cleaners team. While their job is |
| 17 |
very important, sometimes they are too hasty, like in commit |
| 18 |
34181a1045d13142d959b9c894a46ddcebf3c512. If package builds and |
| 19 |
works fine, have no critical bugs opened, the sheer fact that |
| 20 |
upstream as inactive and package has no maintainer is no valid to |
| 21 |
remove package. The reason "are still sitting in ~arch" is even |
| 22 |
less valid, since it is absolutely fine that package never mades it |
| 23 |
into stable (some people do not use stable at all). |
| 24 |
|
| 25 |
[1] https://github.com/Mr-Dave/motion |
| 26 |
|
| 27 |
Best regards, |
| 28 |
Andrew Savchenko |
Archives