| 1 |
On 25/09/14 08:42 AM, Andrew Savchenko wrote: |
| 2 |
> Hello, |
| 3 |
> |
| 4 |
> many packages in tree are masked due to security issues instead of |
| 5 |
> issuing GLSA for them. Why? At this moment I counted 56 such |
| 6 |
> packages in package.mask. |
| 7 |
> |
| 8 |
> Some of these packages have GLSAs issued (e.g. nethack and friends) |
| 9 |
> and have no fixes, so this is understandable. But most packages are |
| 10 |
> just masked "due to security bugs", I recently stumbled upon: |
| 11 |
> ppp, mariadb, mysql, vlc... |
| 12 |
> |
| 13 |
> Why such masking is bad? Because it undermines the whole idea of |
| 14 |
> GLSA as a sole security provider for Gentoo users. |
| 15 |
> |
| 16 |
> I manage about 50 Gentoo boxes (with more than 10 unique setups) |
| 17 |
> and I'm not an update monkey to update them weekly. My usual |
| 18 |
> workflow is to emerge all world somewhere within 6 month and 1 |
| 19 |
> year, but to install security updates regularly and critical ones |
| 20 |
> ASAP. GLSA serves this purpose well (Yes, I understood that |
| 21 |
> security team can't embrace all issues so some extra lookup for |
| 22 |
> CVEs is needed as well). But security-masked packages undermine |
| 23 |
> such approach, because they're not listed in glsa-check -l affected |
| 24 |
> and message about masked packages doesn't appear in elog, only on |
| 25 |
> top of build log, which is likely to be lost. |
| 26 |
> |
| 27 |
> Best regards, |
| 28 |
> Andrew Savchenko |
| 29 |
> |
| 30 |
|
| 31 |
1. one of your examples is clearly wrong, mariadb has no masked versions |
| 32 |
in the tree. |
| 33 |
|
| 34 |
2. since you claim to have read package.mask, you will have noticed that |
| 35 |
each mask (bar one) has a bug attached or easily accessible via alias. |
| 36 |
the single one that does not have a bug number can easily be found via |
| 37 |
search on the package name. if you bothered to read a single one of |
| 38 |
them, they will have said that there is a GLSA in progress or that |
| 39 |
stabilization is still in progress. |
| 40 |
|
| 41 |
3. if you want to use old-ass packages from the age of bourne shell, use |
| 42 |
debian, not gentoo. |
Archives