1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Sorry for quoting a lot this time but it's important for understanding |
5 |
the issue. |
6 |
|
7 |
On 01.02.2013 15:00, Ian Stakenvicius wrote: |
8 |
> On 01/02/13 08:56 AM, Wulf C. Krueger wrote: |
9 |
>> On 01.02.2013 14:47, Rich Freeman wrote: |
10 |
>>>> And how will you get to know about current or future |
11 |
>>>> security issues if nobody (in Gentoo) cares about the |
12 |
>>>> package? |
13 |
>>> The same way that you know about security issues in Firefox or |
14 |
>>> Chromium [...] Until somebody tells upstream about them you're |
15 |
>>> going to be vulnerable. |
16 |
>> Indeed. In contrast to many of the packages that were mentioned |
17 |
>> in this thread, Firefox and Chromium have an active upstream, |
18 |
>> though. What do you think will happen to projects with a dead |
19 |
>> upstream? I think the answer is pretty simple: Nothing. |
20 |
> Not really, no. A dead upstream means that there isn't an upstream |
21 |
> to push a fix or release a new version. That's all. If security |
22 |
> bugs occur then there's two options -- fix, or remove. So if the |
23 |
> gentoo dev in question doesn't have time/ability/desire to fix, |
24 |
> they or security remove it at that point. This isn't "nothing" to |
25 |
> me; I must be missing something from your response? |
26 |
|
27 |
Yes, the topmost two lines in my quote: |
28 |
|
29 |
>>>> And how will you get to know about current or future |
30 |
>>>> security issues if nobody (in Gentoo) cares about the |
31 |
>>>> package? |
32 |
|
33 |
In the "dead upstream" case it's unlikely anyone is checking the |
34 |
package for security issues in the first place. So neither the Gentoo |
35 |
security people will get notice via the usual sources nor will any |
36 |
upstream be informed. |
37 |
|
38 |
If there's a *known* bug, you're right. Case closed. |
39 |
|
40 |
If the package in question is just bit-rotting and nobody cares, you |
41 |
most likely won't ever know about any security issues, though - until |
42 |
something nasty happens. This is one of the problems with "dead |
43 |
upstream" packages. |
44 |
|
45 |
Best regards, Wulf |
46 |
-----BEGIN PGP SIGNATURE----- |
47 |
Version: GnuPG v2.0.19 (GNU/Linux) |
48 |
Comment: Using GnuPG with undefined - http://www.enigmail.net/ |
49 |
|
50 |
iEYEARECAAYFAlELzGEACgkQnuVXRcSi+5rJAwCfYGcHAJzmxwD+2L0WZlajnfP4 |
51 |
TzsAn1NN88QQDG3Q9br73nM1KcFT9rDW |
52 |
=5aeo |
53 |
-----END PGP SIGNATURE----- |