1 |
J. Roeleveld posted on Wed, 06 Jul 2016 20:22:57 +0200 as excerpted: |
2 |
|
3 |
> On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote: |
4 |
>> # Aaron Bauman <bman@g.o> (30 Jun 2016) |
5 |
>> # Unpatched security vulnerability per bug #509920. |
6 |
>> # Removal in 30 days www-apps/egroupware |
7 |
> |
8 |
> Why is this bug being used to treeclean egroupware? |
9 |
> |
10 |
> Why is bug 461212 not being used to actually resolve the issue? |
11 |
> If I would actually be confident that it would actually be used, I would |
12 |
> have no issue on trying to get my latest ebuild ( version 14.3.20160525 |
13 |
> ) converted to the latest standards. |
14 |
|
15 |
According to equery meta, egroupware has no individual developer |
16 |
maintainer and no proxied maintainer, only the webapps project as |
17 |
maintainer. And apparently there, nobody has been specifically |
18 |
interested in egroupware, so it has fallen thru the cracks to some |
19 |
degree, tho newer versions /may/ be in the webapps-experimental overlay. |
20 |
|
21 |
Here's the webapps project wiki page: |
22 |
|
23 |
https://wiki.gentoo.org/wiki/Project:Webapps |
24 |
|
25 |
That has this to say when discussing the overlay, quote: |
26 |
|
27 |
Web applications in general tend to be a severe security liability. They |
28 |
are designed to communicate with the outside world and need to deal with |
29 |
a range of input from the Internet. Since it is often hard for developers |
30 |
to foresee all types of malicious input, security flaws are being |
31 |
detected rather frequently in the apps we maintain. |
32 |
|
33 |
To reduce the impact of such incidents while still offering a wide range |
34 |
of different web applications, we created a Portage overlay that contains |
35 |
ebuilds for applications that we do not want to maintain in the main |
36 |
tree. Such applications either lack a developer willing to maintain it in |
37 |
Portage or have not been reviewed for security. |
38 |
|
39 |
The overlay can be found here: |
40 |
https://cgit.gentoo.org/proj/webapps-experimental.git/ |
41 |
|
42 |
Warning |
43 |
Please remember that the applications available through the overlay might |
44 |
compromise the security of your server! |
45 |
|
46 |
The overlay is an ideal playground for new developers wishing to join our |
47 |
team. Once we see that you are capable of writing ebuilds of reasonable |
48 |
quality, we can provide you with commit rights to the overlay. |
49 |
|
50 |
End quote. |
51 |
|
52 |
|
53 |
So it's possible newer versions are in the overlay, and they simply |
54 |
decided it was too much of a load to keep a version in the tree as well. |
55 |
|
56 |
If there /aren't/ newer versions in the overlay, presumably it's because |
57 |
nobody that has access has been interested in maintaining it in the |
58 |
overlay either. |
59 |
|
60 |
|
61 |
Either way, given your obvious interest, I'd suggest contacting them |
62 |
about overlay commit rights, and/or volunteering to be the proxied |
63 |
maintainer for this particular package. |
64 |
|
65 |
-- |
66 |
Duncan - List replies preferred. No HTML msgs. |
67 |
"Every nonfree program has a lord, a master -- |
68 |
and if you use the program, he is your master." Richard Stallman |