| 1 |
On 09/26/2010 07:51 AM, Volker Armin Hemmann wrote: |
| 2 |
> so there has been roughly a week so far. |
| 3 |
|
| 4 |
Agreed - 10 days was the figure I mentioned. So far we're 7 over the |
| 5 |
target of 3. Most major distros did it in less than 1. |
| 6 |
|
| 7 |
> |
| 8 |
> And the bug is not that dangerous - except when you insist on running unsecure |
| 9 |
> 32bit software on a 64bit system. |
| 10 |
> |
| 11 |
|
| 12 |
I didn't realize that multilib amd64 wasn't a security-supported |
| 13 |
configuration of Gentoo. Perhaps that should be documented somewhere - |
| 14 |
like the amd64 handbook, and the multilib howto. The security page |
| 15 |
probably should also be updated - to indicate that amd64 is a supported |
| 16 |
arch only without multilib. |
| 17 |
|
| 18 |
Note that you don't need to RUN any 32-bit software to be insecure - you |
| 19 |
merely need to have support for it enabled in the kernel config. |
| 20 |
|
| 21 |
Look, either multilib is supported, or it isn't. If it isn't, that's a |
| 22 |
pretty big caveat that we don't document ANYWHERE. If it is, then we |
| 23 |
have to fix bugs in line with the security guidelines. |
| 24 |
|
| 25 |
I'm just asking for us to be up-front with our policies, and to follow |
| 26 |
them. If we don't support multilib amd64, fine. If we do support it, |
| 27 |
then we need to support it. |
| 28 |
|
| 29 |
Rich |
Archives