| 1 |
On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote: |
| 2 |
> All, |
| 3 |
> |
| 4 |
> these packages have been masked in the tree for months - years with no |
| 5 |
> signs of fixes. |
| 6 |
|
| 7 |
Some of them are binary packages or have no fixes upstream. If |
| 8 |
there are no alternatives in tree for a package, and it works fine |
| 9 |
(despite some bugs or issues), then let it be. If package is |
| 10 |
broken, doesn't compile and upstream is dead, this is a possible |
| 11 |
candidate for removal. |
| 12 |
|
| 13 |
> # Ulrich Müller <ulm@g.o> (15 Jul 2014) |
| 14 |
> # Permanently mask sys-libs/lib-compat and its reverse dependencies, |
| 15 |
> # pending multiple security vulnerabilities and QA issues. |
| 16 |
> # See bugs #515926 |
| 17 |
|
| 18 |
This is just QA. |
| 19 |
|
| 20 |
> games-fps/rtcw |
| 21 |
|
| 22 |
Works fine here. While there are possible security issues due to |
| 23 |
510960, it is perfectly safe to be used in isolated environment |
| 24 |
(e.g. a local game in a separate container). |
| 25 |
|
| 26 |
> # Chris Gianelloni <wolf31o2@g.o> (03 Mar 2008) |
| 27 |
> # Masking due to security bug #194607 and security bug #204067 |
| 28 |
> games-fps/doom3 |
| 29 |
> games-fps/doom3-cdoom |
| 30 |
> games-fps/doom3-chextrek |
| 31 |
> games-fps/doom3-data |
| 32 |
> games-fps/doom3-demo |
| 33 |
> games-fps/doom3-ducttape |
| 34 |
> games-fps/doom3-eventhorizon |
| 35 |
> games-fps/doom3-hellcampaign |
| 36 |
> games-fps/doom3-inhell |
| 37 |
> games-fps/doom3-lms |
| 38 |
> games-fps/doom3-mitm |
| 39 |
> games-fps/doom3-phantasm |
| 40 |
> games-fps/doom3-roe |
| 41 |
|
| 42 |
Only doom3 is vulnerable here, other pacakegs s are just deps. |
| 43 |
Both vulnerabilities are remote, so local users (e.g. if someone |
| 44 |
just wants to play original doom3 without multiplayer game) are |
| 45 |
perfectly safe. |
| 46 |
|
| 47 |
Yet this issue may be fixed: doom3 released source code under GPL-3: |
| 48 |
https://github.com/id-Software/DOOM-3 |
| 49 |
Maybe doom3 should be renamed to doom3-bin (if someone needs it for |
| 50 |
whatever reason), and doom3 should be readded as a GPL-3 version. |
| 51 |
Doom3 build from source works great for me. |
| 52 |
|
| 53 |
Security issues are just format string handlings and should be easy |
| 54 |
to fix with source code available, though considering how picky is |
| 55 |
games team for changing network code outside of upstream, I really |
| 56 |
doubt such patches have a chance to come to the tree. |
| 57 |
|
| 58 |
> # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
| 59 |
> # masked pending unresolved security issues #127167 |
| 60 |
> games-roguelike/slashem |
| 61 |
> |
| 62 |
> # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
| 63 |
> # masked pending unresolved security issues #125902 |
| 64 |
> games-roguelike/nethack |
| 65 |
> games-util/hearse |
| 66 |
|
| 67 |
Upstream doesn't consider these issues as bugs at all. This is a |
| 68 |
clash of incompatible permission policies by games team and |
| 69 |
nethack. |
| 70 |
|
| 71 |
Best regards, |
| 72 |
Andrew Savchenko |
Archives