| 1 |
On 07/01/2015 14:56, Rich Freeman wrote: |
| 2 |
> On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <williamh@g.o> wrote: |
| 3 |
>> |
| 4 |
>> I am particularly concerned about packages with known security |
| 5 |
>> vulnerabilities staying in the main tree masked. If people want to keep |
| 6 |
>> using those packages, I don't want to stop them, but packages like this |
| 7 |
>> should not be in the main tree. |
| 8 |
>> |
| 9 |
> |
| 10 |
> Is this policy documented anywhere? If not, I'd be interested in what |
| 11 |
> the general sense of the community is here, and this might be an |
| 12 |
> appropriate topic for the next Council meeting. |
| 13 |
> |
| 14 |
> I guess my question is what harm does it cause to have masked packages |
| 15 |
> in the main tree, where they at least benefit from other forms of QA |
| 16 |
> (eclass fixes, etc)? The mask messages clearly point out the security |
| 17 |
> issues, so anybody who unmasks them is making an informed decision. |
| 18 |
> If they just move to some overlay most likely they won't have any |
| 19 |
> warnings and people will just figure that they're one of 10k other |
| 20 |
> packages that someone doesn't want to bother getting into the tree. |
| 21 |
> |
| 22 |
> I'll go ahead and reply to the council agenda thread with this, and |
| 23 |
> I'd be interested in what the general sense of the rest of the |
| 24 |
> community is here. |
| 25 |
|
| 26 |
|
| 27 |
I always thought the (informal, ad-hoc) policy for buildable, working |
| 28 |
packages with security bugs was to p.mask them and let the user decide. |
| 29 |
For all the reasons you cite. |
| 30 |
|
| 31 |
And that packages are only removed from the tree when they don't build, |
| 32 |
don't work, upstream is gone and took their sources with them, etc, etc. |
| 33 |
|
| 34 |
|
| 35 |
-- |
| 36 |
Alan McKinnon |
| 37 |
alan.mckinnon@×××××.com |
Archives