1 |
On Thu, Jan 08, 2015 at 12:21:18AM +0300, Andrew Savchenko wrote: |
2 |
> Hello, |
3 |
> |
4 |
> On Wed, 7 Jan 2015 13:35:17 -0600 William Hubbs wrote: |
5 |
> > If we want to keep proprietary packages with security issues in the |
6 |
> > tree, they should be marked as proprietary in package.mask so it is |
7 |
> > obvious that they will never be fixed. |
8 |
> > |
9 |
> > If there is an upstream security issue with a non-proprietary |
10 |
> > package: |
11 |
> > |
12 |
> > When a version or revision with the fix is available, it should be |
13 |
> > fast stabled. Once that is done, all older versions should be removed |
14 |
> > if possible. if this is not possible right away, the older versions |
15 |
> > should go in p.mask with a removal date. |
16 |
> > |
17 |
> > Thoughts? |
18 |
> |
19 |
> What about open source packages with no fixes or where doesn't |
20 |
> consider bug as a security issue? Good example is |
21 |
> games-roguelike/nethack, bug 125902, where upstream doesn't |
22 |
> consider issue as a security problem and for many setups (e.g. |
23 |
> personal device with single user is the games group) this is not a |
24 |
> problem at all? |
25 |
|
26 |
I just read through this bug, and I see it the same way most people who |
27 |
posted to the bug see it. It is a major flaw in how our games policies |
28 |
were designed. Since it is known that we are moving toward getting rid |
29 |
of games.eclass, and this is a popular game, whoever takes over |
30 |
maintenance should make fixing this a high priority. |
31 |
|
32 |
If I were taking over this game, I would immediately look into rewriting |
33 |
the ebuild to not use games.eclass. |
34 |
|
35 |
> IMO packages (not specific versions, but whole packages) should not |
36 |
> be removed if they work. Maybe masked, but no more. |
37 |
|
38 |
The problem is that defining "work" is too vague. I would rather not see |
39 |
something like this statement made into a distro-wide policy. |
40 |
|
41 |
William |