| 1 |
Hello, |
| 2 |
|
| 3 |
On Wed, 7 Jan 2015 13:35:17 -0600 William Hubbs wrote: |
| 4 |
> If we want to keep proprietary packages with security issues in the |
| 5 |
> tree, they should be marked as proprietary in package.mask so it is |
| 6 |
> obvious that they will never be fixed. |
| 7 |
> |
| 8 |
> If there is an upstream security issue with a non-proprietary |
| 9 |
> package: |
| 10 |
> |
| 11 |
> When a version or revision with the fix is available, it should be |
| 12 |
> fast stabled. Once that is done, all older versions should be removed |
| 13 |
> if possible. if this is not possible right away, the older versions |
| 14 |
> should go in p.mask with a removal date. |
| 15 |
> |
| 16 |
> Thoughts? |
| 17 |
|
| 18 |
What about open source packages with no fixes or where doesn't |
| 19 |
consider bug as a security issue? Good example is |
| 20 |
games-roguelike/nethack, bug 125902, where upstream doesn't |
| 21 |
consider issue as a security problem and for many setups (e.g. |
| 22 |
personal device with single user is the games group) this is not a |
| 23 |
problem at all? |
| 24 |
|
| 25 |
IMO packages (not specific versions, but whole packages) should not |
| 26 |
be removed if they work. Maybe masked, but no more. |
| 27 |
|
| 28 |
Best regards, |
| 29 |
Andrew Savchenko |
Archives