| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Sorry for quoting a lot this time but it's important for understanding |
| 5 |
the issue. |
| 6 |
|
| 7 |
On 01.02.2013 15:00, Ian Stakenvicius wrote: |
| 8 |
> On 01/02/13 08:56 AM, Wulf C. Krueger wrote: |
| 9 |
>> On 01.02.2013 14:47, Rich Freeman wrote: |
| 10 |
>>>> And how will you get to know about current or future |
| 11 |
>>>> security issues if nobody (in Gentoo) cares about the |
| 12 |
>>>> package? |
| 13 |
>>> The same way that you know about security issues in Firefox or |
| 14 |
>>> Chromium [...] Until somebody tells upstream about them you're |
| 15 |
>>> going to be vulnerable. |
| 16 |
>> Indeed. In contrast to many of the packages that were mentioned |
| 17 |
>> in this thread, Firefox and Chromium have an active upstream, |
| 18 |
>> though. What do you think will happen to projects with a dead |
| 19 |
>> upstream? I think the answer is pretty simple: Nothing. |
| 20 |
> Not really, no. A dead upstream means that there isn't an upstream |
| 21 |
> to push a fix or release a new version. That's all. If security |
| 22 |
> bugs occur then there's two options -- fix, or remove. So if the |
| 23 |
> gentoo dev in question doesn't have time/ability/desire to fix, |
| 24 |
> they or security remove it at that point. This isn't "nothing" to |
| 25 |
> me; I must be missing something from your response? |
| 26 |
|
| 27 |
Yes, the topmost two lines in my quote: |
| 28 |
|
| 29 |
>>>> And how will you get to know about current or future |
| 30 |
>>>> security issues if nobody (in Gentoo) cares about the |
| 31 |
>>>> package? |
| 32 |
|
| 33 |
In the "dead upstream" case it's unlikely anyone is checking the |
| 34 |
package for security issues in the first place. So neither the Gentoo |
| 35 |
security people will get notice via the usual sources nor will any |
| 36 |
upstream be informed. |
| 37 |
|
| 38 |
If there's a *known* bug, you're right. Case closed. |
| 39 |
|
| 40 |
If the package in question is just bit-rotting and nobody cares, you |
| 41 |
most likely won't ever know about any security issues, though - until |
| 42 |
something nasty happens. This is one of the problems with "dead |
| 43 |
upstream" packages. |
| 44 |
|
| 45 |
Best regards, Wulf |
| 46 |
-----BEGIN PGP SIGNATURE----- |
| 47 |
Version: GnuPG v2.0.19 (GNU/Linux) |
| 48 |
Comment: Using GnuPG with undefined - http://www.enigmail.net/ |
| 49 |
|
| 50 |
iEYEARECAAYFAlELzGEACgkQnuVXRcSi+5rJAwCfYGcHAJzmxwD+2L0WZlajnfP4 |
| 51 |
TzsAn1NN88QQDG3Q9br73nM1KcFT9rDW |
| 52 |
=5aeo |
| 53 |
-----END PGP SIGNATURE----- |
Archives