1 |
On Sun, 11 Feb 2007 12:33:52 +0000 |
2 |
Ciaran McCreesh <ciaranm@×××××××.org> wrote: |
3 |
|
4 |
> On Sun, 11 Feb 2007 13:22:48 +0100 "Kevin F. Quinn" |
5 |
> <kevquinn@g.o> wrote: |
6 |
> | Do you object to such packages (specifically with security issues) |
7 |
> | being p.masked? |
8 |
> |
9 |
> If it's forcing a downgrade, yes. |
10 |
> |
11 |
> | I'm not sure we should be encouraging people to continue using |
12 |
> | packages when we know there are known security issues. |
13 |
> |
14 |
> You assume that being affected by a local denial of service on a |
15 |
> system where all users have the root password is more important than |
16 |
> using a package that has been verified to work by an arch team member. |
17 |
|
18 |
I said nothing about local denial of service; perhaps you're thinking |
19 |
of a particular instance - I'm not. To rhetorically follow your line of |
20 |
discussion, you're happy to have remote exploits remain in the tree |
21 |
(i.e. promoted by Gentoo) if a package is marked stable and a patch |
22 |
isn't available? |
23 |
|
24 |
The point about p.masking (rather than removal) is that we have then |
25 |
made reasonable efforts to inform the user and give them the |
26 |
opportunity to decide what they want to do, based on their own security |
27 |
policy - which could be to unmask locally and continue regardless, or |
28 |
could be to remove the package and try something else. That way they'd |
29 |
be making informed decisions. |
30 |
|
31 |
I think if we're to promote packages that have security issues on an |
32 |
arch, we need to be very clear that we're not making reasonable efforts |
33 |
to ensure that arch is free of known exploits. |
34 |
|
35 |
-- |
36 |
Kevin F. Quinn |