1 |
On Thu, Jan 08, 2015 at 04:26:02AM +0300, Andrew Savchenko wrote: |
2 |
> On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote: |
3 |
> > All, |
4 |
> > |
5 |
> > these packages have been masked in the tree for months - years with no |
6 |
> > signs of fixes. |
7 |
> |
8 |
> Some of them are binary packages or have no fixes upstream. If |
9 |
> there are no alternatives in tree for a package, and it works fine |
10 |
> (despite some bugs or issues), then let it be. If package is |
11 |
> broken, doesn't compile and upstream is dead, this is a possible |
12 |
> candidate for removal. |
13 |
> |
14 |
> > # Ulrich Müller <ulm@g.o> (15 Jul 2014) |
15 |
> > # Permanently mask sys-libs/lib-compat and its reverse dependencies, |
16 |
> > # pending multiple security vulnerabilities and QA issues. |
17 |
> > # See bugs #515926 |
18 |
> |
19 |
> This is just QA. |
20 |
> |
21 |
> > games-fps/rtcw |
22 |
> |
23 |
> Works fine here. While there are possible security issues due to |
24 |
> 510960, it is perfectly safe to be used in isolated environment |
25 |
> (e.g. a local game in a separate container). |
26 |
> |
27 |
> > # Chris Gianelloni <wolf31o2@g.o> (03 Mar 2008) |
28 |
> > # Masking due to security bug #194607 and security bug #204067 |
29 |
> > games-fps/doom3 |
30 |
> > games-fps/doom3-cdoom |
31 |
> > games-fps/doom3-chextrek |
32 |
> > games-fps/doom3-data |
33 |
> > games-fps/doom3-demo |
34 |
> > games-fps/doom3-ducttape |
35 |
> > games-fps/doom3-eventhorizon |
36 |
> > games-fps/doom3-hellcampaign |
37 |
> > games-fps/doom3-inhell |
38 |
> > games-fps/doom3-lms |
39 |
> > games-fps/doom3-mitm |
40 |
> > games-fps/doom3-phantasm |
41 |
> > games-fps/doom3-roe |
42 |
> |
43 |
> Only doom3 is vulnerable here, other pacakegs s are just deps. |
44 |
> Both vulnerabilities are remote, so local users (e.g. if someone |
45 |
> just wants to play original doom3 without multiplayer game) are |
46 |
> perfectly safe. |
47 |
> |
48 |
> Yet this issue may be fixed: doom3 released source code under GPL-3: |
49 |
> https://github.com/id-Software/DOOM-3 |
50 |
> Maybe doom3 should be renamed to doom3-bin (if someone needs it for |
51 |
> whatever reason), and doom3 should be readded as a GPL-3 version. |
52 |
> Doom3 build from source works great for me. |
53 |
|
54 |
This would be for the maintainers to decide, but if it is under gpl3 |
55 |
now, I would vote for adding the new version and getting rid of the old |
56 |
one. I don't see a need to keep a binary proprietary product if the new |
57 |
one is gpl'd. |
58 |
|
59 |
This is why I posted this last rites, to get people to look at the |
60 |
packages. :-) |
61 |
|
62 |
William |
63 |
|
64 |
> |
65 |
> Security issues are just format string handlings and should be easy |
66 |
> to fix with source code available, though considering how picky is |
67 |
> games team for changing network code outside of upstream, I really |
68 |
> doubt such patches have a chance to come to the tree. |
69 |
> |
70 |
> > # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
71 |
> > # masked pending unresolved security issues #127167 |
72 |
> > games-roguelike/slashem |
73 |
> > |
74 |
> > # Tavis Ormandy <taviso@g.o> (21 Mar 2006) |
75 |
> > # masked pending unresolved security issues #125902 |
76 |
> > games-roguelike/nethack |
77 |
> > games-util/hearse |
78 |
> |
79 |
> Upstream doesn't consider these issues as bugs at all. This is a |
80 |
> clash of incompatible permission policies by games team and |
81 |
> nethack. |
82 |
> |
83 |
> Best regards, |
84 |
> Andrew Savchenko |