Gentoo Archives: gentoo-server

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-server@l.g.o
Subject: Re: [gentoo-server] Stable portage tree (again)
Date: Wed, 06 Sep 2006 10:56:17
Message-Id: 200609061252.54250.jaervosz@gentoo.org
In Reply to: Re: [gentoo-server] Stable portage tree (again) by Jonas Fietz
1 Hi there,
2
3 On Wednesday 06 September 2006 12:00, Jonas Fietz wrote:
4 > paul kölle wrote:
5 > > José González Gómez schrieb:
6 > I think a better approach for this would be to have a kind of wiki web
7 > hosted at whatever.gentoo.org, where admins would report their
8 > success/failure using a given version of a package with a given set of use
9 > flags.
10 There already is an unofficial wiki. If you want something more official the
11 new [1] Gentoo Knowledge Base might become what you're looking for.
12
13 > >> I would like to make a proposal here. What if no longer mantained
14 > >> ebuilds were marked but not deleted? Let's say you have _x86 in
15 > >> KEYWORDS for ebuilds/packages no longer mantained, that emerge is
16 > >> aware of that and can inform us of this and that those ebuilds are
17 > >> mantained in the portage tree for, let's say, a year WITH NO SECURITY
18 > >> BACKPORTS on them. This would be kind of a end of life notice that
19 > >> gives you some time to react. This way you still would be able to use
20 > >> the ebuild at your own risk, and this wouldn't represent much extra
21 > >> work load for the Gentoo devs, as the deletion process could be
22 > >> automatic with the use of some scripts. What do you think?
23 I haven't followed the Sunrise discussion so this might be dead wrong, but I
24 think such ebuilds might have a new and totally unsupported security wise
25 home there. (No flames please)
26
27 > I am not sure about it, but I think that there are no GLSAs published
28 > for deleted packages, so you would effectively not know if there was a
29 > security problem. By the nature of how GLSAs are written, it might still
30 > be that your version is marked as being vulnerable. (Most of the time it
31 > is "<specific-version")
32 Note that GLSAs are not issued for _all_ issues only those of a given
33 severity. See Gentoo Linux Vulnerability Treatment Policy [1] for further
34 details.
35
36 [1] http://www.gentoo.org/proj/en/kbase/
37 [2] http://www.gentoo.org/security/en/vulnerability-policy.xml
38
39 --
40 Sune Kloppenborg Jeppesen
41 Gentoo Linux Security Team