1 |
On 07/01/2015 14:56, Rich Freeman wrote: |
2 |
> On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <williamh@g.o> wrote: |
3 |
>> |
4 |
>> I am particularly concerned about packages with known security |
5 |
>> vulnerabilities staying in the main tree masked. If people want to keep |
6 |
>> using those packages, I don't want to stop them, but packages like this |
7 |
>> should not be in the main tree. |
8 |
>> |
9 |
> |
10 |
> Is this policy documented anywhere? If not, I'd be interested in what |
11 |
> the general sense of the community is here, and this might be an |
12 |
> appropriate topic for the next Council meeting. |
13 |
> |
14 |
> I guess my question is what harm does it cause to have masked packages |
15 |
> in the main tree, where they at least benefit from other forms of QA |
16 |
> (eclass fixes, etc)? The mask messages clearly point out the security |
17 |
> issues, so anybody who unmasks them is making an informed decision. |
18 |
> If they just move to some overlay most likely they won't have any |
19 |
> warnings and people will just figure that they're one of 10k other |
20 |
> packages that someone doesn't want to bother getting into the tree. |
21 |
> |
22 |
> I'll go ahead and reply to the council agenda thread with this, and |
23 |
> I'd be interested in what the general sense of the rest of the |
24 |
> community is here. |
25 |
|
26 |
|
27 |
I always thought the (informal, ad-hoc) policy for buildable, working |
28 |
packages with security bugs was to p.mask them and let the user decide. |
29 |
For all the reasons you cite. |
30 |
|
31 |
And that packages are only removed from the tree when they don't build, |
32 |
don't work, upstream is gone and took their sources with them, etc, etc. |
33 |
|
34 |
|
35 |
-- |
36 |
Alan McKinnon |
37 |
alan.mckinnon@×××××.com |