| 1 |
Dne So 1. prosince 2012 06:42:13, Rich Freeman napsal(a): |
| 2 |
> On Fri, Nov 30, 2012 at 4:13 PM, Tomáš Chvátal <tomas.chvatal@×××××.com> |
| 3 |
wrote: |
| 4 |
> > Dne Pá 30. listopadu 2012 20:37:22, Pacho Ramos napsal(a): |
| 5 |
> >> media-sound/logitechmediaserver-bin -> this package is "special", it's |
| 6 |
> >> maintained by a proxy maintainer but it was reassigned to |
| 7 |
> >> maintainer-needed instead of proxy-maint herd. Was reviewing to reassign |
| 8 |
> >> it when I saw: |
| 9 |
> >> https://bugs.gentoo.org/show_bug.cgi?id=251494 |
| 10 |
> >> |
| 11 |
> >> that I have no idea about how to handle :| |
| 12 |
> > |
| 13 |
> > Simple, |
| 14 |
> > add hardmaks explaining possible secuirty issues due to bundling |
| 15 |
> > earth&heaven, and then let the proxymaintainer play with it if he wants. |
| 16 |
> > |
| 17 |
> > The mask will be lifted only under condition these issues are fixed. |
| 18 |
> > People can unmask quite easily if they want, we don't need everything in |
| 19 |
> > stable :-) |
| 20 |
> |
| 21 |
> I can't say that I agree with this needing to be masked. If it HAS a |
| 22 |
> known security issue, then mask it. If the only issue is that it |
| 23 |
> bundles too many libs, well, then just stick an ewarn in there or |
| 24 |
> something but make it the user's call. |
| 25 |
|
| 26 |
Bundling few libs and bundling 40 of them is bit of difference, will YOU do |
| 27 |
the audit? |
| 28 |
Also other teams actively work on the unbundling, while there is track of no |
| 29 |
will to actually make it buildable with system libs. |
| 30 |
|
| 31 |
Also the security is not the only problem here, it can also cause runtime |
| 32 |
issues. Like bundled lib does not work with xyz because it does not apply |
| 33 |
patch X that we have in main tree. |
| 34 |
|
| 35 |
> |
| 36 |
> Should we mask chrome while we're at it (and yes, I'm aware that the |
| 37 |
> chromium team is doing their best to remove these, but there are MANY |
| 38 |
> left)? How about mythtv - that bundles ffmpeg? |
| 39 |
|
| 40 |
Mythtv and its bundling is really horrible and actually not needed at all by |
| 41 |
upstream.. This is the reason why it for example is not included in debian at |
| 42 |
all (external repos of course have it). |
| 43 |
|
| 44 |
> |
| 45 |
> Yes, it is lousy practice, but our options are to change the world, |
| 46 |
> practically fork upstream, or refuse to include useful packages. It |
| 47 |
> is admirable when we can remove bundled libs, but this should not be |
| 48 |
> mandatory for having a package in the tree. Actual security issues |
| 49 |
> should be fixed, of course, or masked. |
| 50 |
> |
| 51 |
> Sure, it ain't perfect or pretty, but it works. And when dealing with |
| 52 |
> outsiders, whether they are proxy maintainers or our founder, can we |
| 53 |
> at least try to be polite? |
| 54 |
|
| 55 |
Yes we should be polite and nice, and I think explaining the guy why it will |
| 56 |
be masked is enough. He can still work on it in main tree where it will for |
| 57 |
sure get way larger audience than if it would be sitting in some overlay, and |
| 58 |
users would have to read the mask before using it so they will have to use |
| 59 |
their brains at least a bit. |
| 60 |
|
| 61 |
Still keep in mind most distros won't allow inclusion of such software into |
| 62 |
main repositories at all, so we allow something fishy others avoid a lot. |
Archives