On Mon, 2009-11-09 at 14:33 +0100, Ben de Groot wrote: > I am of the opinion it is irresponsible to leave vulnerable versions of Qt with > known security bugs any longer in the tree. The Qt team therefore requests > that arches that have not done so already move quickly on stabilizing Qt > 4.5.3, see bug 290922 and 283810. It is more irresponsible and outright wrong to remove the latest stable revision of a package for some arches, despite security implications. Hard masking constitutes the same - the last stable version is not in stable visibility anymore. You can however remove the keywords of the arches from older versions that do have a newer version/revision stable as seen in all profiles. > We plan on REMOVING or at the very least HARDMASKING pending removal > all <=4.5.2 ebuilds by the end of this week. This means that arches that have > not stabilized 4.5.3 would loose their stable Qt4 version. How do you see this being acceptable for the users of these architectures? Many of these architectures that are "lagging behind" not being even security supported architectures. > Please let us know if there is any way in which we can assist arches. We > are aware that some arches are down to one active person. But if there is > no other way, maybe the status of such arches should be reconsidered. It seems most these arches that are at ~1 person are not security supported either > We especially request ppc64 to be marked as an experimental arch, as it > is the worst one lagging in stabilization. See bug 281821 for a poignant > example, a 3 months open security bug. First its security supported status should be considered, not making it an experimental arch, as that could very well throw it in a backwards spiral of getting more and more problematic due to repoman iirc not checking issues with it by default. -- Mart Raudsepp Gentoo Developer Mail: leio@gentoo.org Weblog: http://planet.gentoo.org/developers/leio