| 1 |
J. Roeleveld posted on Wed, 06 Jul 2016 20:22:57 +0200 as excerpted: |
| 2 |
|
| 3 |
> On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote: |
| 4 |
>> # Aaron Bauman <bman@g.o> (30 Jun 2016) |
| 5 |
>> # Unpatched security vulnerability per bug #509920. |
| 6 |
>> # Removal in 30 days www-apps/egroupware |
| 7 |
> |
| 8 |
> Why is this bug being used to treeclean egroupware? |
| 9 |
> |
| 10 |
> Why is bug 461212 not being used to actually resolve the issue? |
| 11 |
> If I would actually be confident that it would actually be used, I would |
| 12 |
> have no issue on trying to get my latest ebuild ( version 14.3.20160525 |
| 13 |
> ) converted to the latest standards. |
| 14 |
|
| 15 |
According to equery meta, egroupware has no individual developer |
| 16 |
maintainer and no proxied maintainer, only the webapps project as |
| 17 |
maintainer. And apparently there, nobody has been specifically |
| 18 |
interested in egroupware, so it has fallen thru the cracks to some |
| 19 |
degree, tho newer versions /may/ be in the webapps-experimental overlay. |
| 20 |
|
| 21 |
Here's the webapps project wiki page: |
| 22 |
|
| 23 |
https://wiki.gentoo.org/wiki/Project:Webapps |
| 24 |
|
| 25 |
That has this to say when discussing the overlay, quote: |
| 26 |
|
| 27 |
Web applications in general tend to be a severe security liability. They |
| 28 |
are designed to communicate with the outside world and need to deal with |
| 29 |
a range of input from the Internet. Since it is often hard for developers |
| 30 |
to foresee all types of malicious input, security flaws are being |
| 31 |
detected rather frequently in the apps we maintain. |
| 32 |
|
| 33 |
To reduce the impact of such incidents while still offering a wide range |
| 34 |
of different web applications, we created a Portage overlay that contains |
| 35 |
ebuilds for applications that we do not want to maintain in the main |
| 36 |
tree. Such applications either lack a developer willing to maintain it in |
| 37 |
Portage or have not been reviewed for security. |
| 38 |
|
| 39 |
The overlay can be found here: |
| 40 |
https://cgit.gentoo.org/proj/webapps-experimental.git/ |
| 41 |
|
| 42 |
Warning |
| 43 |
Please remember that the applications available through the overlay might |
| 44 |
compromise the security of your server! |
| 45 |
|
| 46 |
The overlay is an ideal playground for new developers wishing to join our |
| 47 |
team. Once we see that you are capable of writing ebuilds of reasonable |
| 48 |
quality, we can provide you with commit rights to the overlay. |
| 49 |
|
| 50 |
End quote. |
| 51 |
|
| 52 |
|
| 53 |
So it's possible newer versions are in the overlay, and they simply |
| 54 |
decided it was too much of a load to keep a version in the tree as well. |
| 55 |
|
| 56 |
If there /aren't/ newer versions in the overlay, presumably it's because |
| 57 |
nobody that has access has been interested in maintaining it in the |
| 58 |
overlay either. |
| 59 |
|
| 60 |
|
| 61 |
Either way, given your obvious interest, I'd suggest contacting them |
| 62 |
about overlay commit rights, and/or volunteering to be the proxied |
| 63 |
maintainer for this particular package. |
| 64 |
|
| 65 |
-- |
| 66 |
Duncan - List replies preferred. No HTML msgs. |
| 67 |
"Every nonfree program has a lord, a master -- |
| 68 |
and if you use the program, he is your master." Richard Stallman |
Archives