1 |
Dne So 1. prosince 2012 06:42:13, Rich Freeman napsal(a): |
2 |
> On Fri, Nov 30, 2012 at 4:13 PM, Tomáš Chvátal <tomas.chvatal@×××××.com> |
3 |
wrote: |
4 |
> > Dne Pá 30. listopadu 2012 20:37:22, Pacho Ramos napsal(a): |
5 |
> >> media-sound/logitechmediaserver-bin -> this package is "special", it's |
6 |
> >> maintained by a proxy maintainer but it was reassigned to |
7 |
> >> maintainer-needed instead of proxy-maint herd. Was reviewing to reassign |
8 |
> >> it when I saw: |
9 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=251494 |
10 |
> >> |
11 |
> >> that I have no idea about how to handle :| |
12 |
> > |
13 |
> > Simple, |
14 |
> > add hardmaks explaining possible secuirty issues due to bundling |
15 |
> > earth&heaven, and then let the proxymaintainer play with it if he wants. |
16 |
> > |
17 |
> > The mask will be lifted only under condition these issues are fixed. |
18 |
> > People can unmask quite easily if they want, we don't need everything in |
19 |
> > stable :-) |
20 |
> |
21 |
> I can't say that I agree with this needing to be masked. If it HAS a |
22 |
> known security issue, then mask it. If the only issue is that it |
23 |
> bundles too many libs, well, then just stick an ewarn in there or |
24 |
> something but make it the user's call. |
25 |
|
26 |
Bundling few libs and bundling 40 of them is bit of difference, will YOU do |
27 |
the audit? |
28 |
Also other teams actively work on the unbundling, while there is track of no |
29 |
will to actually make it buildable with system libs. |
30 |
|
31 |
Also the security is not the only problem here, it can also cause runtime |
32 |
issues. Like bundled lib does not work with xyz because it does not apply |
33 |
patch X that we have in main tree. |
34 |
|
35 |
> |
36 |
> Should we mask chrome while we're at it (and yes, I'm aware that the |
37 |
> chromium team is doing their best to remove these, but there are MANY |
38 |
> left)? How about mythtv - that bundles ffmpeg? |
39 |
|
40 |
Mythtv and its bundling is really horrible and actually not needed at all by |
41 |
upstream.. This is the reason why it for example is not included in debian at |
42 |
all (external repos of course have it). |
43 |
|
44 |
> |
45 |
> Yes, it is lousy practice, but our options are to change the world, |
46 |
> practically fork upstream, or refuse to include useful packages. It |
47 |
> is admirable when we can remove bundled libs, but this should not be |
48 |
> mandatory for having a package in the tree. Actual security issues |
49 |
> should be fixed, of course, or masked. |
50 |
> |
51 |
> Sure, it ain't perfect or pretty, but it works. And when dealing with |
52 |
> outsiders, whether they are proxy maintainers or our founder, can we |
53 |
> at least try to be polite? |
54 |
|
55 |
Yes we should be polite and nice, and I think explaining the guy why it will |
56 |
be masked is enough. He can still work on it in main tree where it will for |
57 |
sure get way larger audience than if it would be sitting in some overlay, and |
58 |
users would have to read the mask before using it so they will have to use |
59 |
their brains at least a bit. |
60 |
|
61 |
Still keep in mind most distros won't allow inclusion of such software into |
62 |
main repositories at all, so we allow something fishy others avoid a lot. |