1 |
On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote: |
2 |
> All, |
3 |
> |
4 |
> these packages have been masked in the tree for months - years with no |
5 |
> signs of fixes. |
6 |
|
7 |
Some of them are binary packages or have no fixes upstream. If |
8 |
there are no alternatives in tree for a package, and it works fine |
9 |
(despite some bugs or issues), then let it be. If package is |
10 |
broken, doesn't compile and upstream is dead, this is a possible |
11 |
candidate for removal. |
12 |
|
13 |
> # Ulrich Müller <ulm@g.o> (15 Jul 2014) |
14 |
> # Permanently mask sys-libs/lib-compat and its reverse dependencies, |
15 |
> # pending multiple security vulnerabilities and QA issues. |
16 |
> # See bugs #515926 |
17 |
|
18 |
This is just QA. |
19 |
|
20 |
> games-fps/rtcw |
21 |
|
22 |
Works fine here. While there are possible security issues due to |
23 |
510960, it is perfectly safe to be used in isolated environment |
24 |
(e.g. a local game in a separate container). |
25 |
|
26 |
> # Chris Gianelloni <wolf31o2@g.o> (03 Mar 2008) |
27 |
> # Masking due to security bug #194607 and security bug #204067 |
28 |
> games-fps/doom3 |
29 |
> games-fps/doom3-cdoom |
30 |
> games-fps/doom3-chextrek |
31 |
> games-fps/doom3-data |
32 |
> games-fps/doom3-demo |
33 |
> games-fps/doom3-ducttape |
34 |
> games-fps/doom3-eventhorizon |
35 |
> games-fps/doom3-hellcampaign |
36 |
> games-fps/doom3-inhell |
37 |
> games-fps/doom3-lms |
38 |
> games-fps/doom3-mitm |
39 |
> games-fps/doom3-phantasm |
40 |
> games-fps/doom3-roe |
41 |
|
42 |
Only doom3 is vulnerable here, other pacakegs s are just deps. |
43 |
Both vulnerabilities are remote, so local users (e.g. if someone |
44 |
just wants to play original doom3 without multiplayer game) are |
45 |
perfectly safe. |
46 |
|
47 |
Yet this issue may be fixed: doom3 released source code under GPL-3: |
48 |
https://github.com/id-Software/DOOM-3 |
49 |
Maybe doom3 should be renamed to doom3-bin (if someone needs it for |
50 |
whatever reason), and doom3 should be readded as a GPL-3 version. |
51 |
Doom3 build from source works great for me. |
52 |
|
53 |
Security issues are just format string handlings and should be easy |
54 |
to fix with source code available, though considering how picky is |
55 |
games team for changing network code outside of upstream, I really |
56 |
doubt such patches have a chance to come to the tree. |
57 |
|
58 |
> # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
59 |
> # masked pending unresolved security issues #127167 |
60 |
> games-roguelike/slashem |
61 |
> |
62 |
> # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
63 |
> # masked pending unresolved security issues #125902 |
64 |
> games-roguelike/nethack |
65 |
> games-util/hearse |
66 |
|
67 |
Upstream doesn't consider these issues as bugs at all. This is a |
68 |
clash of incompatible permission policies by games team and |
69 |
nethack. |
70 |
|
71 |
Best regards, |
72 |
Andrew Savchenko |