1 |
Hello, |
2 |
|
3 |
On Wed, 7 Jan 2015 13:35:17 -0600 William Hubbs wrote: |
4 |
> If we want to keep proprietary packages with security issues in the |
5 |
> tree, they should be marked as proprietary in package.mask so it is |
6 |
> obvious that they will never be fixed. |
7 |
> |
8 |
> If there is an upstream security issue with a non-proprietary |
9 |
> package: |
10 |
> |
11 |
> When a version or revision with the fix is available, it should be |
12 |
> fast stabled. Once that is done, all older versions should be removed |
13 |
> if possible. if this is not possible right away, the older versions |
14 |
> should go in p.mask with a removal date. |
15 |
> |
16 |
> Thoughts? |
17 |
|
18 |
What about open source packages with no fixes or where doesn't |
19 |
consider bug as a security issue? Good example is |
20 |
games-roguelike/nethack, bug 125902, where upstream doesn't |
21 |
consider issue as a security problem and for many setups (e.g. |
22 |
personal device with single user is the games group) this is not a |
23 |
problem at all? |
24 |
|
25 |
IMO packages (not specific versions, but whole packages) should not |
26 |
be removed if they work. Maybe masked, but no more. |
27 |
|
28 |
Best regards, |
29 |
Andrew Savchenko |