1 |
On 25/09/14 08:42 AM, Andrew Savchenko wrote: |
2 |
> Hello, |
3 |
> |
4 |
> many packages in tree are masked due to security issues instead of |
5 |
> issuing GLSA for them. Why? At this moment I counted 56 such |
6 |
> packages in package.mask. |
7 |
> |
8 |
> Some of these packages have GLSAs issued (e.g. nethack and friends) |
9 |
> and have no fixes, so this is understandable. But most packages are |
10 |
> just masked "due to security bugs", I recently stumbled upon: |
11 |
> ppp, mariadb, mysql, vlc... |
12 |
> |
13 |
> Why such masking is bad? Because it undermines the whole idea of |
14 |
> GLSA as a sole security provider for Gentoo users. |
15 |
> |
16 |
> I manage about 50 Gentoo boxes (with more than 10 unique setups) |
17 |
> and I'm not an update monkey to update them weekly. My usual |
18 |
> workflow is to emerge all world somewhere within 6 month and 1 |
19 |
> year, but to install security updates regularly and critical ones |
20 |
> ASAP. GLSA serves this purpose well (Yes, I understood that |
21 |
> security team can't embrace all issues so some extra lookup for |
22 |
> CVEs is needed as well). But security-masked packages undermine |
23 |
> such approach, because they're not listed in glsa-check -l affected |
24 |
> and message about masked packages doesn't appear in elog, only on |
25 |
> top of build log, which is likely to be lost. |
26 |
> |
27 |
> Best regards, |
28 |
> Andrew Savchenko |
29 |
> |
30 |
|
31 |
1. one of your examples is clearly wrong, mariadb has no masked versions |
32 |
in the tree. |
33 |
|
34 |
2. since you claim to have read package.mask, you will have noticed that |
35 |
each mask (bar one) has a bug attached or easily accessible via alias. |
36 |
the single one that does not have a bug number can easily be found via |
37 |
search on the package name. if you bothered to read a single one of |
38 |
them, they will have said that there is a GLSA in progress or that |
39 |
stabilization is still in progress. |
40 |
|
41 |
3. if you want to use old-ass packages from the age of bourne shell, use |
42 |
debian, not gentoo. |