From: Chris Gianelloni <wolf31o2@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Security/QA Spring Cleaning
Date: Tue, 23 May 2006 17:46:09 -0400 [thread overview]
Message-ID: <1148420769.18445.20.camel@cgianelloni.nuvox.net> (raw)
In-Reply-To: <20060523210620.GE14671@nightcrawler>
[-- Attachment #1: Type: text/plain, Size: 1968 bytes --]
On Tue, 2006-05-23 at 14:06 -0700, Brian Harring wrote:
> On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote:
> > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote:
> > > And now per arch breakdowns.
> > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/
> >
> > No offense, but that isn't exactly useful in its current form. For
> > example, x86 shows *all* of the packages, even ones where it has a
> > non-vulnerable version stable.
> > I guess a breakdown of which
> > architectures still do not have a version *higher* than the ones listed
> > by the GLSA stable would be necessary instead.
>
> You're ignoring the fact that ebuilds can and do specify version
> ranges that result in portage using something other then the highest-
> the report is a listing of "these pkgs are vulnerable according to
> glsas", the arch-vulns is just a view of that with stable/unstable for
> that arch collapsed into one.
>
> In other words... having a version stable that isn't affected by the
> glsa, good and grand, but the ebuilds sitting in the tree are *still*
> vulnerable.
>
> Splitting off a stable vs unstable is doable, but the intention of
> that report is to spell out which packages in the tree are vulnerable,
> thus in need of getting the boot.
I completely understand this. However, in most cases the reason the
older packages are still in the tree is because *somebody* doesn't have
it stable yet. If we knew which arch(es) didn't have a non-vulnerable
version stable, then we could either remove the version, as it is no
longer needed, or determine who needs to catch up on keywording. As it
stands now, there's a huge number of packages listed for x86, where x86
can't necessarily do anything because someone else might not have a
newer version stable.
--
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2006-05-23 21:52 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-22 3:02 [gentoo-dev] Security/QA Spring Cleaning Ned Ludd
2006-05-22 5:25 ` Robin H. Johnson
2006-05-22 5:30 ` Brian Harring
2006-05-23 20:22 ` Ned Ludd
2006-05-23 20:44 ` Brian Harring
2006-05-23 22:44 ` Thomas Cort
2006-05-23 20:51 ` Chris Gianelloni
2006-05-23 21:06 ` Brian Harring
2006-05-23 21:46 ` Chris Gianelloni [this message]
2006-05-23 22:05 ` Brian Harring
2006-05-23 22:24 ` Chris Gianelloni
2006-05-23 22:36 ` Brian Harring
2006-05-24 4:11 ` Doug Goldstein
2006-05-24 12:06 ` Chris Gianelloni
2006-05-24 12:02 ` Chris Gianelloni
2006-05-23 21:50 ` Ned Ludd
2006-05-23 22:22 ` Chris Gianelloni
2006-05-28 18:20 ` Ned Ludd
2006-05-28 20:18 ` Robin H. Johnson
2006-05-29 1:17 ` Ned Ludd
2006-05-29 20:22 ` Chris Gianelloni
2006-06-02 13:15 ` Eldad Zack
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1148420769.18445.20.camel@cgianelloni.nuvox.net \
--to=wolf31o2@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox