Gentoo Archives: gentoo-security

From: Kfir Lavi <lavi.kfir@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] #342619 RESOLVED WONTFIX
Date: Thu, 28 Oct 2010 12:04:51
In Reply to: Re: [gentoo-security] #342619 RESOLVED WONTFIX by Mateusz Arkadiusz Mierzwinski
2010/10/28 Mateusz Arkadiusz Mierzwinski <mateuszmierzwinski@×××××.com>

> 2010/10/28 Pavel Labushev <p.labushev@×××××.com> > > > I didn't test that patch; even if it's incorrect, bugreport is not about >> > a patch. It's about a security issue. >> >> Well, the bug report is about the patch. There's another bug about the >> issues with LD_AUDIT: >> > > "The beat goes on! Nothings wrong!...". Tell me - If app have bug - like > "calc" ;) app in KDE - who uses it? Developers will not patch app because > it's less then 1% users that use it in KDE? I don't think so. Even if it's > lower priority patch i think it should be included in mainstream. It's like > buying a car, that closes by remote but 1% of users will still use key for > central lock - ups! None included? Service: "Sorry! That's not mainstream > ;). You must install it by Yourself" :]. > > >> >> > This proof-of-concept exploit still works in gentoo (amd64 stable at >> least, >> > even hardened!), because some dangerous variables are not filtered out. >> >> It still works because glibc-2.11.2-r2 with the fix is still keyworded >> (yeah, epic fail goes on). >> >> > Let's keyword everything, push "da blocks, man!" on every package and this > will be most secured distro :>. Great Job! :) > > I think, that Gentoo Devs forget about something more important in today's > world - USABILITY. The "normal" user without "extra abilities" will not > Patch anything because he don't even know what PATCH is. Developers have > those users TOO on Gentoo. This is strenght of Mandriva, Debian-like distros > (Ubuntu line specialy). Users click and software works, it upgrades and if > bug is get the patch is downloaded with latest update. Tell mister "Marian" > from accounting that he must PATCH something. I like that kind of face look > of that people after saying that Junk -> :] "Yeah! Sure... What icon should > I press in My "K" Menu?". >
LOL, I would like to know "Marian" in person and his habbits of upgrading OOcalc. I wonder how he edit his /etc/make.conf, hehe, with windows edit?! :-P Seriously, Gentoo is a system for "Marian" if and only if his friend "SuperUser" keep his system running. And by the same token, go to your next desk friend who is a computer scientist and ask him to install gentoo. (GENGOO WHAT???!!! SOUNDS LIKE A GOOD BUNGEE CORD ;-) Gentoo is for us, not for them...
Devs should include patches in mainstream even if it's less prior patch.
> Why? Because it takes about 2-10 (knowledge level) minutes extra and drops > discussions like this one. 10 Minutes extra VS silence - i think it's fair > :). > > > > > -- > Mateusz Mierzwiński > > Bluebox Software [PL] > Neural Networks, Artificial Perception and Artificial Intelligence projects > coordinator >