Gentoo Archives: gentoo-security

From: Mateusz Arkadiusz Mierzwinski <mateuszmierzwinski@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] #342619 RESOLVED WONTFIX
Date: Thu, 28 Oct 2010 10:05:41
In Reply to: Re: [gentoo-security] #342619 RESOLVED WONTFIX by Pavel Labushev
2010/10/28 Pavel Labushev <p.labushev@×××××.com>

> > I didn't test that patch; even if it's incorrect, bugreport is not about > > a patch. It's about a security issue. > > Well, the bug report is about the patch. There's another bug about the > issues with LD_AUDIT: >
"The beat goes on! Nothings wrong!...". Tell me - If app have bug - like "calc" ;) app in KDE - who uses it? Developers will not patch app because it's less then 1% users that use it in KDE? I don't think so. Even if it's lower priority patch i think it should be included in mainstream. It's like buying a car, that closes by remote but 1% of users will still use key for central lock - ups! None included? Service: "Sorry! That's not mainstream ;). You must install it by Yourself" :].
> > > This proof-of-concept exploit still works in gentoo (amd64 stable at > least, > > even hardened!), because some dangerous variables are not filtered out. > > It still works because glibc-2.11.2-r2 with the fix is still keyworded > (yeah, epic fail goes on). > >
Let's keyword everything, push "da blocks, man!" on every package and this will be most secured distro :>. Great Job! :) I think, that Gentoo Devs forget about something more important in today's world - USABILITY. The "normal" user without "extra abilities" will not Patch anything because he don't even know what PATCH is. Developers have those users TOO on Gentoo. This is strenght of Mandriva, Debian-like distros (Ubuntu line specialy). Users click and software works, it upgrades and if bug is get the patch is downloaded with latest update. Tell mister "Marian" from accounting that he must PATCH something. I like that kind of face look of that people after saying that Junk -> :] "Yeah! Sure... What icon should I press in My "K" Menu?". Devs should include patches in mainstream even if it's less prior patch. Why? Because it takes about 2-10 (knowledge level) minutes extra and drops discussions like this one. 10 Minutes extra VS silence - i think it's fair :). -- Mateusz Mierzwiński Bluebox Software [PL] Neural Networks, Artificial Perception and Artificial Intelligence projects coordinator


Subject Author
Re: [gentoo-security] #342619 RESOLVED WONTFIX Kfir Lavi <lavi.kfir@×××××.com>