| 1 |
On Sun, 11 Feb 2007 12:33:52 +0000 |
| 2 |
Ciaran McCreesh <ciaranm@×××××××.org> wrote: |
| 3 |
|
| 4 |
> On Sun, 11 Feb 2007 13:22:48 +0100 "Kevin F. Quinn" |
| 5 |
> <kevquinn@g.o> wrote: |
| 6 |
> | Do you object to such packages (specifically with security issues) |
| 7 |
> | being p.masked? |
| 8 |
> |
| 9 |
> If it's forcing a downgrade, yes. |
| 10 |
> |
| 11 |
> | I'm not sure we should be encouraging people to continue using |
| 12 |
> | packages when we know there are known security issues. |
| 13 |
> |
| 14 |
> You assume that being affected by a local denial of service on a |
| 15 |
> system where all users have the root password is more important than |
| 16 |
> using a package that has been verified to work by an arch team member. |
| 17 |
|
| 18 |
I said nothing about local denial of service; perhaps you're thinking |
| 19 |
of a particular instance - I'm not. To rhetorically follow your line of |
| 20 |
discussion, you're happy to have remote exploits remain in the tree |
| 21 |
(i.e. promoted by Gentoo) if a package is marked stable and a patch |
| 22 |
isn't available? |
| 23 |
|
| 24 |
The point about p.masking (rather than removal) is that we have then |
| 25 |
made reasonable efforts to inform the user and give them the |
| 26 |
opportunity to decide what they want to do, based on their own security |
| 27 |
policy - which could be to unmask locally and continue regardless, or |
| 28 |
could be to remove the package and try something else. That way they'd |
| 29 |
be making informed decisions. |
| 30 |
|
| 31 |
I think if we're to promote packages that have security issues on an |
| 32 |
arch, we need to be very clear that we're not making reasonable efforts |
| 33 |
to ensure that arch is free of known exploits. |
| 34 |
|
| 35 |
-- |
| 36 |
Kevin F. Quinn |
Archives