| 1 |
> > |
| 2 |
> > 1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless") |
| 3 |
> > |
| 4 |
> |
| 5 |
> The Gentoo model is not perfect and should be overhauled. However, it |
| 6 |
> works for most things and sometimes bugs fall between the cracks. |
| 7 |
> |
| 8 |
> The package shouldn't have been masked either based on a bug that was |
| 9 |
> purposely ignored for many years simply because they want to disband the |
| 10 |
> package now and found a "security reason" to add to the mask. |
| 11 |
|
| 12 |
Well, over the last year or so every 2-3 months the (uninformed) discussion came up, "don't use openrc stages because you are automatically rooted". That leaves a rather bad impression of Gentoo, independent of whether it is true or not. If noone from sec team noticed the discussions... |
| 13 |
|
| 14 |
> > 2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account). |
| 15 |
> > |
| 16 |
> |
| 17 |
> I am not sure if this is sarcasm, but every bug must be considered |
| 18 |
> through the correct aperture. That is, based on your environment, |
| 19 |
> protections in place, defense in depth, and other buzzwords... hence the |
| 20 |
> onion analogy. |
| 21 |
|
| 22 |
It's not sarcasm. The point of the classification is to give clear rules (why else would you list, e.g., required response times on the vulnerability treatment page (no matter how illusory they are)). |
| 23 |
|
| 24 |
If you don't take all factors into account when *making* the classification, then all gain you have from the classification is lost. |
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
-- |
| 29 |
Andreas K. Hüttel |
| 30 |
dilfridge@g.o |
| 31 |
Gentoo Linux developer |
| 32 |
(council, toolchain, base-system, perl, libreoffice) |
Archives