* [gentoo-dev] Security/QA Spring Cleaning @ 2006-05-22 3:02 Ned Ludd 2006-05-22 5:25 ` Robin H. Johnson 2006-05-23 20:22 ` Ned Ludd 0 siblings, 2 replies; 22+ messages in thread From: Ned Ludd @ 2006-05-22 3:02 UTC (permalink / raw To: gentoo-dev; +Cc: Brian Harring ferringb took the time to write a parser and setup a cronjob (every 4 hours at the half hour) to parse over our GLSA's and see what pkgs remain in the tree and have nothing but newer versions stable. I did a bit of re parsing on his logfile to obtain herds & maintainers. The list is big (very big) and like if I filed the bug in it's current state pretty much every single one of us would probably get dozens of mails per comment. So.. To in order to try and be nice to our mail system and bugzilla it would be really helpful if you all could grep the affected: field and flush old vulnerable ebuilds from the tree for any pkgs you or your herd maintain before the tracker bug is filed. http://gentooexperimental.org/~ferringb/reports/tree-vulnerabilities.log In the future if you are bumping pkgs for a security bug and you are the last arch to push to stable. Clean up old foo up please. It keeps everything running smoother and faster to have less dead cruft in the tree. You can use earch for this task. wget -O /usr/local/bin/earch -q \ http://dev.gentoo.org/~robbat2/earch-0.9.1 \ && chmod +x /usr/local/bin/earch It helps to make it a habit to run this before repoman --pretend scan prior to committing to the tree. thanks in advance. -- Ned Ludd <solar@gentoo.org> All over the place Gentoo Linux -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-22 3:02 [gentoo-dev] Security/QA Spring Cleaning Ned Ludd @ 2006-05-22 5:25 ` Robin H. Johnson 2006-05-22 5:30 ` Brian Harring 2006-05-23 20:22 ` Ned Ludd 1 sibling, 1 reply; 22+ messages in thread From: Robin H. Johnson @ 2006-05-22 5:25 UTC (permalink / raw To: gentoo-dev; +Cc: Brian Harring On Sun, May 21, 2006 at 11:02:22PM -0400, Ned Ludd wrote: > ferringb took the time to write a parser and setup a cronjob > (every 4 hours at the half hour) to parse over our GLSA's and see what > pkgs remain in the tree and have nothing but newer versions stable. I [snip] Just because old versions exist, doesn't strictly mean that they are safe to remove - some of them may be in the tree because other packages block the newer versions. -- Robin Hugh Johnson E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-22 5:25 ` Robin H. Johnson @ 2006-05-22 5:30 ` Brian Harring 0 siblings, 0 replies; 22+ messages in thread From: Brian Harring @ 2006-05-22 5:30 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 932 bytes --] No need to cc, I'm on the ml (realize the norm is to cc, but no point in spamming me twice ;) On Sun, May 21, 2006 at 10:25:12PM -0700, Robin H. Johnson wrote: > On Sun, May 21, 2006 at 11:02:22PM -0400, Ned Ludd wrote: > > ferringb took the time to write a parser and setup a cronjob > > (every 4 hours at the half hour) to parse over our GLSA's and see what > > pkgs remain in the tree and have nothing but newer versions stable. I > [snip] > > Just because old versions exist, doesn't strictly mean that they are > safe to remove - some of them may be in the tree because other packages > block the newer versions. Given, but vulnerable pkgs should be on the way out of the tree- this is strictly matching of what's vulnerable. Not dug into the revdeps, but wouldn't be surprised if at least 25% of what's being matched by the vulnerability queries is just cruft that never got removed. ~harring [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-22 3:02 [gentoo-dev] Security/QA Spring Cleaning Ned Ludd 2006-05-22 5:25 ` Robin H. Johnson @ 2006-05-23 20:22 ` Ned Ludd 2006-05-23 20:44 ` Brian Harring ` (2 more replies) 1 sibling, 3 replies; 22+ messages in thread From: Ned Ludd @ 2006-05-23 20:22 UTC (permalink / raw To: gentoo-dev And now per arch breakdowns. http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ On Sun, 2006-05-21 at 23:02 -0400, Ned Ludd wrote: > ferringb took the time to write a parser and setup a cronjob > (every 4 hours at the half hour) to parse over our GLSA's and see what > pkgs remain in the tree and have nothing but newer versions stable. I > did a bit of re parsing on his logfile to obtain herds & maintainers. > The list is big (very big) and like if I filed the bug in it's current > state pretty much every single one of us would probably get dozens of > mails per comment. So.. To in order to try and be nice to our mail > system and bugzilla it would be really helpful if you all could grep > the affected: field and flush old vulnerable ebuilds from the tree for > any pkgs you or your herd maintain before the tracker bug is filed. > > http://gentooexperimental.org/~ferringb/reports/tree-vulnerabilities.log > > In the future if you are bumping pkgs for a security bug and you are > the last arch to push to stable. Clean up old foo up please. > It keeps everything running smoother and faster to have less > dead cruft in the tree. > > You can use earch for this task. > > wget -O /usr/local/bin/earch -q \ > http://dev.gentoo.org/~robbat2/earch-0.9.1 \ > && chmod +x /usr/local/bin/earch > It helps to make it a habit to run this before repoman --pretend scan > prior to committing to the tree. > > thanks in advance. > > -- > Ned Ludd <solar@gentoo.org> > All over the place > Gentoo Linux > -- Ned Ludd <solar@gentoo.org> Gentoo Linux -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 20:22 ` Ned Ludd @ 2006-05-23 20:44 ` Brian Harring 2006-05-23 22:44 ` Thomas Cort 2006-05-23 20:51 ` Chris Gianelloni 2006-05-28 18:20 ` Ned Ludd 2 siblings, 1 reply; 22+ messages in thread From: Brian Harring @ 2006-05-23 20:44 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 851 bytes --] On Tue, May 23, 2006 at 04:22:30PM -0400, Ned Ludd wrote: > And now per arch breakdowns. > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ Couple more reports generated (in the parent dir, dropped keywords, imlate, packages that have just ~arch, ebuild metadata verification, and "ebuild has been unstable for arch X for greater then N days). Any other requests in terms of report generation, give a yell. The bzr repo for it is at http://gentooexperimental.org/~ferringb/bzr/test-runner/ Adding a new test is easy enough- or if you're after making it pretty (feel free to, not my cup 'o tea), go nuts- the reports started out as just testing of the GLSA vulnerable pkgset in pkgcore. Reports are regenerated every 4 hours- patrick would be the one to ask about making it more frequent. ~harring [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 20:44 ` Brian Harring @ 2006-05-23 22:44 ` Thomas Cort 0 siblings, 0 replies; 22+ messages in thread From: Thomas Cort @ 2006-05-23 22:44 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 944 bytes --] On Tue, 23 May 2006 13:44:09 -0700 Brian Harring <ferringb@gmail.com> wrote: > Couple more reports generated (in the parent dir, dropped keywords, > imlate, packages that have just ~arch, ebuild metadata verification, > and "ebuild has been unstable for arch X for greater then N days). Seems like we have a lot of people generating reports.... aliz http://gentoo.tamperd.net/stable/ blubb http://blubb.ch/gentoo/amd64/ tcort http://dev.gentoo.org/~tcort/imlate/ http://dev.gentoo.org/~tcort/dropped/ ferringb: http://gentooexperimental.org/~ferringb/reports/ halcy0n: http://dev.gentoo.org/~halcy0n/imlate/ http://dev.gentoo.org/~halcy0n/keyword-moves/ hansmi: recently sent the output of imlate.py to amd64@g.o Would it be possible to get a centralized place for all of this stuff? Could a reports.gentoo.org or something similar be setup to run scripts/programs every hour or two? ~tcort [-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 20:22 ` Ned Ludd 2006-05-23 20:44 ` Brian Harring @ 2006-05-23 20:51 ` Chris Gianelloni 2006-05-23 21:06 ` Brian Harring 2006-05-23 21:50 ` Ned Ludd 2006-05-28 18:20 ` Ned Ludd 2 siblings, 2 replies; 22+ messages in thread From: Chris Gianelloni @ 2006-05-23 20:51 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 598 bytes --] On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > And now per arch breakdowns. > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ No offense, but that isn't exactly useful in its current form. For example, x86 shows *all* of the packages, even ones where it has a non-vulnerable version stable. I guess a breakdown of which architectures still do not have a version *higher* than the ones listed by the GLSA stable would be necessary instead. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 20:51 ` Chris Gianelloni @ 2006-05-23 21:06 ` Brian Harring 2006-05-23 21:46 ` Chris Gianelloni 2006-05-23 21:50 ` Ned Ludd 1 sibling, 1 reply; 22+ messages in thread From: Brian Harring @ 2006-05-23 21:06 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1229 bytes --] On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > > And now per arch breakdowns. > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ > > No offense, but that isn't exactly useful in its current form. For > example, x86 shows *all* of the packages, even ones where it has a > non-vulnerable version stable. > I guess a breakdown of which > architectures still do not have a version *higher* than the ones listed > by the GLSA stable would be necessary instead. You're ignoring the fact that ebuilds can and do specify version ranges that result in portage using something other then the highest- the report is a listing of "these pkgs are vulnerable according to glsas", the arch-vulns is just a view of that with stable/unstable for that arch collapsed into one. In other words... having a version stable that isn't affected by the glsa, good and grand, but the ebuilds sitting in the tree are *still* vulnerable. Splitting off a stable vs unstable is doable, but the intention of that report is to spell out which packages in the tree are vulnerable, thus in need of getting the boot. ~harring [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 21:06 ` Brian Harring @ 2006-05-23 21:46 ` Chris Gianelloni 2006-05-23 22:05 ` Brian Harring 0 siblings, 1 reply; 22+ messages in thread From: Chris Gianelloni @ 2006-05-23 21:46 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1968 bytes --] On Tue, 2006-05-23 at 14:06 -0700, Brian Harring wrote: > On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: > > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > > > And now per arch breakdowns. > > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ > > > > No offense, but that isn't exactly useful in its current form. For > > example, x86 shows *all* of the packages, even ones where it has a > > non-vulnerable version stable. > > I guess a breakdown of which > > architectures still do not have a version *higher* than the ones listed > > by the GLSA stable would be necessary instead. > > You're ignoring the fact that ebuilds can and do specify version > ranges that result in portage using something other then the highest- > the report is a listing of "these pkgs are vulnerable according to > glsas", the arch-vulns is just a view of that with stable/unstable for > that arch collapsed into one. > > In other words... having a version stable that isn't affected by the > glsa, good and grand, but the ebuilds sitting in the tree are *still* > vulnerable. > > Splitting off a stable vs unstable is doable, but the intention of > that report is to spell out which packages in the tree are vulnerable, > thus in need of getting the boot. I completely understand this. However, in most cases the reason the older packages are still in the tree is because *somebody* doesn't have it stable yet. If we knew which arch(es) didn't have a non-vulnerable version stable, then we could either remove the version, as it is no longer needed, or determine who needs to catch up on keywording. As it stands now, there's a huge number of packages listed for x86, where x86 can't necessarily do anything because someone else might not have a newer version stable. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 21:46 ` Chris Gianelloni @ 2006-05-23 22:05 ` Brian Harring 2006-05-23 22:24 ` Chris Gianelloni 0 siblings, 1 reply; 22+ messages in thread From: Brian Harring @ 2006-05-23 22:05 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 415 bytes --] On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote: > I completely understand this. However, in most cases the reason the > older packages are still in the tree is because *somebody* doesn't have > it stable yet. Strictly stable, or unstable? What about profiles, which to account for? Stable (keyword) doesn't mean visible (profile p.mask or global p.mask), scan 'em all? ~harring [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 22:05 ` Brian Harring @ 2006-05-23 22:24 ` Chris Gianelloni 2006-05-23 22:36 ` Brian Harring 0 siblings, 1 reply; 22+ messages in thread From: Chris Gianelloni @ 2006-05-23 22:24 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 926 bytes --] On Tue, 2006-05-23 at 15:05 -0700, Brian Harring wrote: > On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote: > > I completely understand this. However, in most cases the reason the > > older packages are still in the tree is because *somebody* doesn't have > > it stable yet. > > Strictly stable, or unstable? I guess in this case, we would want both, so we can tell who's where. > What about profiles, which to account for? Stable (keyword) doesn't > mean visible (profile p.mask or global p.mask), scan 'em all? I wouldn't scan anything that isn't "stable" or "dev" in profiles.desc, at all. By the way, thanks for this information. Things like this really do help us clean up the tree and it is appreciated, even if my tone doesn't always come across that way. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 22:24 ` Chris Gianelloni @ 2006-05-23 22:36 ` Brian Harring 2006-05-24 4:11 ` Doug Goldstein 2006-05-24 12:02 ` Chris Gianelloni 0 siblings, 2 replies; 22+ messages in thread From: Brian Harring @ 2006-05-23 22:36 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1604 bytes --] On Tue, May 23, 2006 at 06:24:31PM -0400, Chris Gianelloni wrote: > On Tue, 2006-05-23 at 15:05 -0700, Brian Harring wrote: > > On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote: > > > I completely understand this. However, in most cases the reason the > > > older packages are still in the tree is because *somebody* doesn't have > > > it stable yet. > > > > Strictly stable, or unstable? > > I guess in this case, we would want both, so we can tell who's where. > > > What about profiles, which to account for? Stable (keyword) doesn't > > mean visible (profile p.mask or global p.mask), scan 'em all? > > I wouldn't scan anything that isn't "stable" or "dev" in profiles.desc, > at all. Commented in #-security about it, but any reason that arches don't yank their keywords from insecure ebuilds after they've stabled a replacement? For example, app-arch/unarj-2.63a-r1 is vulnerable to glsa 200411-29; 2.63a-r2 was stabled 18 months ago, yet the vulnerable version remains visible to x86 stable users- any reason arches don't drop keywords from vulnerable versions after their stable replacement has proven itself (few weeks, whatever timeline people prefer). Will generate a report for what you're asking, but tbh, bit curious why arches don't just pull their keywording from bad ebuilds- ebuild is going to be removed as soon as all arches have a stable replacement, so all it's accomplishing is leaving a vulnerable ebuild accessible for longer. That said, also requires more work- so... just a thought, that one. :) ~harring [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 22:36 ` Brian Harring @ 2006-05-24 4:11 ` Doug Goldstein 2006-05-24 12:06 ` Chris Gianelloni 2006-05-24 12:02 ` Chris Gianelloni 1 sibling, 1 reply; 22+ messages in thread From: Doug Goldstein @ 2006-05-24 4:11 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 763 bytes --] Brian Harring wrote: > > Commented in #-security about it, but any reason that arches don't yank > their keywords from insecure ebuilds after they've stabled a > replacement? > Brian, I asked about this VERY same thing a long while back and at best I received "Because person X said no." So you ask X and they say the person that sent you to them said no. The only argument against it was that it'd break the depend tree if package Y depends on version <=0.99 of package X and versions > 1.0 of X are vulnerability free. My opinion is "snap, crackle, and pop"... let the tree break. But better yet... figure out what depends on package X <=1.0 and p.mask it. -- Doug Goldstein <cardoe@gentoo.org> http://dev.gentoo.org/~cardoe/ [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 252 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-24 4:11 ` Doug Goldstein @ 2006-05-24 12:06 ` Chris Gianelloni 0 siblings, 0 replies; 22+ messages in thread From: Chris Gianelloni @ 2006-05-24 12:06 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 477 bytes --] On Wed, 2006-05-24 at 00:11 -0400, Doug Goldstein wrote: > My opinion is "snap, crackle, and pop"... let the tree break. But better > yet... figure out what depends on package X <=1.0 and p.mask it. Umm... anything that depends on the package in question *should* be getting masked. There's no opinion to it. Breaking the tree is a definite no-no. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 22:36 ` Brian Harring 2006-05-24 4:11 ` Doug Goldstein @ 2006-05-24 12:02 ` Chris Gianelloni 1 sibling, 0 replies; 22+ messages in thread From: Chris Gianelloni @ 2006-05-24 12:02 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1327 bytes --] On Tue, 2006-05-23 at 15:36 -0700, Brian Harring wrote: > On Tue, May 23, 2006 at 06:24:31PM -0400, Chris Gianelloni wrote: > > On Tue, 2006-05-23 at 15:05 -0700, Brian Harring wrote: > > > On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote: > > > > I completely understand this. However, in most cases the reason the > > > > older packages are still in the tree is because *somebody* doesn't have > > > > it stable yet. > > > > > > Strictly stable, or unstable? > > > > I guess in this case, we would want both, so we can tell who's where. > > > > > What about profiles, which to account for? Stable (keyword) doesn't > > > mean visible (profile p.mask or global p.mask), scan 'em all? > > > > I wouldn't scan anything that isn't "stable" or "dev" in profiles.desc, > > at all. > > Commented in #-security about it, but any reason that arches don't yank > their keywords from insecure ebuilds after they've stabled a > replacement? Honestly, I see no reason why we couldn't do that. It would add a tiny bit more work, really, so that shouldn't be much of an issue. It would then allow us to easily see who is affected by what, with your current reports. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 20:51 ` Chris Gianelloni 2006-05-23 21:06 ` Brian Harring @ 2006-05-23 21:50 ` Ned Ludd 2006-05-23 22:22 ` Chris Gianelloni 1 sibling, 1 reply; 22+ messages in thread From: Ned Ludd @ 2006-05-23 21:50 UTC (permalink / raw To: gentoo-dev On Tue, 2006-05-23 at 16:51 -0400, Chris Gianelloni wrote: > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > > And now per arch breakdowns. > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ > > No offense, but that isn't exactly useful in its current form. heh. > For > example, x86 shows *all* of the packages, even ones where it has a > non-vulnerable version stable. Yeah that's is the point of this spring cleaning round. > I guess a breakdown of which > architectures still do not have a version *higher* than the ones listed > by the GLSA stable would be necessary instead. s/necessary/'ideal for Chris'/ Feel free to fire off a request to ferringb. He is trying to be helpful here and I'm all for taking advantage of that. -- Ned Ludd <solar@gentoo.org> Gentoo Linux -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 21:50 ` Ned Ludd @ 2006-05-23 22:22 ` Chris Gianelloni 0 siblings, 0 replies; 22+ messages in thread From: Chris Gianelloni @ 2006-05-23 22:22 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 518 bytes --] On Tue, 2006-05-23 at 17:50 -0400, Ned Ludd wrote: > Feel free to fire off a request to ferringb. > He is trying to be helpful here and I'm all for taking > advantage of that. Oh, absolutely. I didn't mean to come across sounding like I wasn't grateful for the information he's providing. I was merely making a suggestion on how it could have been better and I guess it came out wrong. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-23 20:22 ` Ned Ludd 2006-05-23 20:44 ` Brian Harring 2006-05-23 20:51 ` Chris Gianelloni @ 2006-05-28 18:20 ` Ned Ludd 2006-05-28 20:18 ` Robin H. Johnson ` (2 more replies) 2 siblings, 3 replies; 22+ messages in thread From: Ned Ludd @ 2006-05-28 18:20 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1511 bytes --] The following maintainers and maintaining herds are affected by this in one way or another. This list is still far to large for me want to file a bug for.. So please do what you can to help narrow this list down. Granted not all cases can be solved easily especially when it's some misc arch which is forcing you to keep a package in the tree when you don't want to. For those cases please file an arch stabilization bug where appropriate. Thanks in advance. --------------------------------------------------------- aliz amd64 antivirus apache apache-bugs avenj base-system bug-wranglers carlo chrb cjk cluster crypto dang desktop-misc dju dmwaters eldad emacs eradicator exg flameeyes games gimli gnome gnome-office graphics hadfield humpback java ka0ttic kde kernel kloeri lanius latexer lcars ldap ldap-bugs liquidx lu_zero maintainer-needed maintainer-wanted malenko malverian media-gfx media-video mkay ml mozilla mysql nerdboy net-dialup net-fs net-im net-irc net-mail net-p2p net-zope netmon no-herd obz pam pam-bugs perl php postgresql printing python ramereth robbat2 sekretarz shell-tools slarti smithj sound spock stkn svyatogor tantive taviso tchiwam text-markup toolchain trapni usata vapier video voip vserver vserver-devs web-apps wine wschlich www-servers x86-kernel xemacs On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > And now per arch breakdowns. > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ [snip] -- Ned Ludd <solar@gentoo.org> Gentoo Linux [-- Attachment #2: Type: application/x-shellscript, Size: 934 bytes --] [-- Attachment #3: meta.log --] [-- Type: text/x-log, Size: 11401 bytes --] Package: app-admin/gtkdiskfree Herd: no-herd Maintainer: no-herd Description: ... Package: app-admin/webmin Herd: no-herd Maintainer: eradicator@gentoo.org Package: app-antivirus/clamav Herd: net-mail, antivirus Maintainer: net-mail, antivirus Package: app-arch/rar Herd: no-herd Maintainer: aliz@gentoo.org Package: app-arch/star Herd: shell-tools Maintainer: slarti@gentoo.org Package: app-arch/unarj Herd: no-herd Maintainer: maintainer-wanted@gentoo.org Description: ... Package: app-arch/zoo Herd: no-herd Maintainer: bug-wranglers@gentoo.org Package: app-crypt/gnupg Herd: crypto Maintainer: crypto@gentoo.org Description: ... Package: app-doc/chmlib Herd: no-herd Maintainer: svyatogor@gentoo.org Package: app-editors/emacs Herd: emacs Maintainer: emacs Package: app-editors/gedit Herd: gnome Maintainer: gnome Package: app-editors/xemacs Herd: xemacs Maintainer: xemacs@gentoo.org Package: app-emulation/wine Herd: wine Maintainer: wine Description: ... Package: app-misc/lcdproc Metadata: missing? candidate for tree removal ChangeLog: 5 aliz, 4 agriffis, 3 avenj, 2 plasmaroo, 2 latexer, 2 mr_bones_, 1 hansmi, 1 msterret, 1 gustavoz, 1 josejx, 1 vapier, 1 gbevin, Package: app-misc/mc Herd: no-herd Maintainer: lanius@gentoo.org Package: app-office/abiword Herd: gnome-office Maintainer: gnome-office Package: app-office/dia Herd: gnome-office Maintainer: gnome-office Description: ... Package: app-office/koffice Herd: kde Maintainer: kde Package: app-office/kword Herd: kde Maintainer: kde Package: app-text/acroread Herd: printing Maintainer: printing Package: app-text/cstetex Herd: text-markup Maintainer: malenko@email.cz Package: app-text/gpdf Herd: gnome Maintainer: gnome Package: app-text/pdftohtml Herd: printing Maintainer: robbat2@gentoo.org Package: app-text/pstotext Herd: text-markup Maintainer: text-markup Package: app-text/ptex Herd: text-markup, cjk Maintainer: usata@gentoo.org Description: ... Package: app-text/tetex Herd: text-markup Maintainer: text-markup Package: app-text/unrtf Herd: no-herd Maintainer: robbat2@gentoo.org Package: dev-db/mysql Herd: mysql Maintainer: mysql Package: dev-db/postgresql Herd: postgresql Maintainer: postgresql Package: dev-java/blackdown-jdk Herd: java Maintainer: java Package: dev-java/blackdown-jre Herd: java Maintainer: java Package: dev-java/sun-jdk Herd: java Maintainer: java Description: ... Package: dev-lang/perl Herd: perl Maintainer: perl@gentoo.org Package: dev-lang/php Herd: php Maintainer: php Package: dev-lang/python Herd: python Maintainer: liquidx@gentoo.org Package: dev-libs/cyrus-sasl Herd: net-mail Maintainer: net-mail Package: dev-libs/libpcre Herd: no-herd Maintainer: carlo@gentoo.org Package: dev-libs/libtasn1 Herd: crypto Maintainer: crypto@gentoo.org, liquidx@gentoo.org Package: dev-libs/openssl Herd: base-system Maintainer: base-system Package: dev-libs/pwlib Herd: voip, gnome Maintainer: stkn@gentoo.org Package: dev-ml/ocaml-mysql Herd: ml Maintainer: ml Package: dev-python/mod_python Herd: python, apache Maintainer: python, apache Description: ... Package: dev-python/py2play Herd: python, games Maintainer: python, games Package: games-fps/cube Herd: games Maintainer: games Package: games-fps/doomsday Herd: games Maintainer: games Package: games-roguelike/falconseye Herd: games Maintainer: games Package: games-roguelike/nethack Herd: games Maintainer: games Package: games-roguelike/slashem Herd: games Maintainer: games Package: games-strategy/scorched3d Herd: games Maintainer: games Package: kde-base/kdegraphics Herd: kde Maintainer: kde Package: kde-base/kdelibs Herd: kde Maintainer: kde Package: kde-base/kpdf Herd: kde Maintainer: kde Package: mail-client/evolution Herd: gnome-office Maintainer: obz@gentoo.org, liquidx@gentoo.org Package: mail-client/mozilla-thunderbird Herd: mozilla Maintainer: mozilla Package: mail-client/mozilla-thunderbird-bin Herd: mozilla Maintainer: mozilla Package: mail-mta/sendmail Herd: net-mail Maintainer: lcars@gentoo.org Package: mail-mta/xmail Herd: net-mail Maintainer: net-mail Package: media-gfx/blender Herd: graphics Maintainer: malverian@gentoo.org, lu_zero@gentoo.org Description: ... Package: media-gfx/fbida Herd: no-herd Maintainer: spock@gentoo.org Package: media-gfx/graphicsmagick Herd: Error (No Herd) Maintainer: kloeri@gentoo.org Package: media-gfx/imagemagick Herd: graphics Maintainer: sekretarz@gentoo.org Package: media-gfx/pngcrush Herd: no-herd Maintainer: no-herd Package: media-gfx/xli Herd: no-herd Maintainer: no-herd Package: media-gfx/xv Herd: no-herd Maintainer: taviso@gentoo.org Package: media-gfx/xzgv Herd: no-herd Maintainer: smithj@gentoo.org Package: media-gfx/zgv Herd: no-herd Maintainer: no-herd Package: media-libs/gdk-pixbuf Herd: gnome Maintainer: gnome Package: media-libs/giflib Herd: graphics Maintainer: graphics Package: media-libs/libcdaudio Herd: no-herd Maintainer: no-herd Package: media-libs/netpbm Herd: media-gfx Maintainer: graphics@gentoo.org Package: media-libs/pdflib Herd: no-herd Maintainer: maintainer-needed@gentoo.org Package: media-libs/tiff Herd: graphics Maintainer: nerdboy@gentoo.org Description: ... Package: media-libs/xine-lib Herd: video Maintainer: flameeyes@gentoo.org Description: ... Package: media-sound/gnump3d Herd: sound Maintainer: sound Package: media-sound/mpg321 Herd: sound Maintainer: sound Package: media-sound/peercast Herd: sound Maintainer: sound Package: media-video/ffmpeg Herd: video Maintainer: media-video@gentoo.org Package: media-video/mplayer Herd: video Maintainer: media-video@gentoo.org Package: media-video/mplayer-bin Herd: amd64 Maintainer: dang@gentoo.org Package: media-video/realplayer Herd: video Maintainer: media-video@gentoo.org Package: net-analyzer/cacti Herd: netmon Maintainer: ramereth@gentoo.org Description: ... Package: net-analyzer/ethereal Herd: netmon Maintainer: netmon Description: ... Package: net-analyzer/nagios-core Herd: netmon Maintainer: eldad@gentoo.org, ramereth@gentoo.org Description: ... Package: net-dns/dnsmasq Herd: no-herd Maintainer: avenj@gentoo.org Package: net-dns/pdnsd Herd: net-dialup Maintainer: net-dialup Description: ... Package: net-firewall/firehol Herd: Error (No Herd) Maintainer: centic@gentoo.org Package: net-firewall/ipsec-tools Herd: no-herd Maintainer: latexer@gentoo.org Package: net-fs/ncpfs Herd: net-fs Maintainer: net-fs Description: ... Package: net-ftp/ftpd Metadata: missing? candidate for tree removal ChangeLog: 3 raker, 3 weeve, 3 seemant, 2 blubb, 2 agriffis, 2 dragonheart, 1 halcy0n, 1 swegener, 1 absinthe, 1 dholm, 1 mholzer, 1 yoswink, Package: net-ftp/gproftpd Herd: no-herd Maintainer: bug-wranglers@gentoo.org Package: net-im/centericq Herd: net-im Maintainer: wschlich@gentoo.org Description: ... Package: net-im/ekg Herd: net-im Maintainer: spock@gentoo.org Package: net-im/kadu Herd: net-im Maintainer: mkay@gentoo.org Package: net-im/linpopup Metadata: missing? candidate for tree removal ChangeLog: 3 mholzer, 2 vapier, 1 agriffis, 1 SeJo, 1 aliz, Package: net-irc/xchat Herd: net-irc Maintainer: net-irc Package: net-libs/gecko-sdk Herd: mozilla Maintainer: mozilla Package: net-libs/gnutls Herd: crypto Maintainer: crypto@gentoo.org, liquidx@gentoo.org Package: net-libs/libgadu Herd: net-im Maintainer: sekretarz@gentoo.org Package: net-libs/openslp Herd: printing Maintainer: liquidx@gentoo.org Package: net-mail/metamail Herd: net-mail Maintainer: net-mail Package: net-misc/axel Metadata: missing? candidate for tree removal ChangeLog: 1 hansmi, 1 squinky86, 1 ka0ttic, 1 j4rg0n, 1 taviso, 1 phoenix, 1 swegener, 1 agriffis, 1 tgall, 1 dragonheart, 1 cryos, 1 manson, 1 gustavoz, 1 dholm, 1 corsair, 1 mr_bones_, 1 stroke, Package: net-misc/curl Herd: no-herd Maintainer: liquidx@gentoo.org Package: net-misc/hashcash Herd: no-herd Maintainer: kloeri@gentoo.org Package: net-misc/openssh Herd: base-system Maintainer: lcars@gentoo.org Description: ... Package: net-misc/proxytunnel Metadata: missing? candidate for tree removal ChangeLog: 5 vapier, 2 sbriesen, 1 antarus, 1 klieber, 1 solar, 1 squinky86, 1 dholm, Package: net-misc/rsync Herd: base-system Maintainer: base-system Package: net-misc/zebedee Metadata: missing? candidate for tree removal ChangeLog: 3 seemant, 2 alron, 2 agriffis, 1 yoswink, 1 randy, 1 ciaranm, 1 vanquirius, 1 kloeri, Package: net-nds/openldap Herd: ldap Maintainer: ldap-bugs@gentoo.org Package: net-p2p/limewire Herd: net-p2p Maintainer: net-p2p Package: net-print/cups Herd: printing Maintainer: printing Package: net-www/apache Herd: apache Maintainer: apache-bugs@gentoo.org Description: ... Package: net-www/awstats Herd: web-apps Maintainer: ka0ttic@gentoo.org Package: net-www/mod_auth_pgsql Herd: postgresql, apache Maintainer: postgresql, apache Package: net-www/mod_dav Herd: apache Maintainer: apache-bugs@gentoo.org Package: net-www/mod_ssl Herd: apache Maintainer: apache-bugs@gentoo.org Package: net-www/netscape-flash Herd: no-herd Maintainer: no-herd Package: net-zope/zope Herd: net-zope Maintainer: net-zope Package: sys-apps/groff Herd: base-system Maintainer: base-system Package: sys-auth/nss_ldap Herd: no-herd Maintainer: robbat2@gentoo.org Package: sys-auth/pam_ldap Herd: pam Maintainer: pam-bugs@gentoo.org Package: sys-block/nbd Herd: base-system Maintainer: base-system Package: sys-cluster/heartbeat Herd: cluster Maintainer: cluster@gentoo.org Description: ... Package: sys-cluster/openmosixview Herd: cluster Maintainer: tantive@gentoo.org Package: sys-devel/binutils Herd: toolchain Maintainer: toolchain Package: sys-devel/flex Herd: base-system Maintainer: base-system Package: sys-devel/gdb Herd: toolchain Maintainer: toolchain Package: sys-kernel/vanilla-sources Herd: x86-kernel Maintainer: x86-kernel@gentoo.org Description: ... Package: sys-kernel/vserver-sources Herd: vserver Maintainer: vserver-devs@gentoo.org Description: ... Package: sys-kernel/xbox-sources Herd: x86-kernel, kernel Maintainer: chrb@gentoo.org, gimli@gentoo.org Description: ... Package: sys-libs/glibc Herd: toolchain Maintainer: toolchain Package: www-apache/libapreq2 Herd: perl Maintainer: perl@gentoo.org Package: www-apps/horde Herd: web-apps Maintainer: vapier@gentoo.org Description: ... Package: www-apps/mediawiki Herd: web-apps Maintainer: trapni@gentoo.org, tchiwam@gentoo.org Package: www-apps/trac Herd: web-apps Maintainer: dju@gentoo.org Package: www-apps/twiki Herd: web-apps Maintainer: web-apps@gentoo.org Package: www-client/dillo Herd: no-herd Maintainer: usata@gentoo.org Package: www-client/lynx Herd: no-herd Maintainer: dmwaters@gentoo.org, hadfield@gentoo.org Package: www-client/mozilla Herd: mozilla Maintainer: mozilla Package: www-client/mozilla-bin Herd: mozilla Maintainer: mozilla Package: www-client/mozilla-firefox Herd: mozilla Maintainer: mozilla Package: www-client/mozilla-firefox-bin Herd: mozilla Maintainer: mozilla Package: www-client/prozilla Herd: no-herd Maintainer: humpback@gentoo.org Package: www-servers/monkeyd Herd: www-servers Maintainer: www-servers Package: x11-libs/lesstif Herd: no-herd Maintainer: lanius@gentoo.org Package: x11-libs/libast Herd: no-herd Maintainer: vapier@gentoo.org Description: ... Package: x11-libs/openmotif Herd: no-herd Maintainer: lanius@gentoo.org Package: x11-misc/xnview Herd: desktop-misc Maintainer: desktop-misc Package: x11-terms/rxvt-unicode Herd: no-herd Maintainer: latexer@gentoo.org, exg@gentoo.org ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-28 18:20 ` Ned Ludd @ 2006-05-28 20:18 ` Robin H. Johnson 2006-05-29 1:17 ` Ned Ludd 2006-05-29 20:22 ` Chris Gianelloni 2006-06-02 13:15 ` Eldad Zack 2 siblings, 1 reply; 22+ messages in thread From: Robin H. Johnson @ 2006-05-28 20:18 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1135 bytes --] On Sun, May 28, 2006 at 02:20:55PM -0400, Ned Ludd wrote: > Package: net-nds/openldap Herd: ldap Maintainer: ldap-bugs@gentoo.org We will be keeping the most recent version of each of the major releases, as there are still people using them for interoperability with other systems. > Package: sys-auth/nss_ldap Herd: no-herd Maintainer: robbat2@gentoo.org > Package: sys-auth/pam_ldap Herd: pam Maintainer: pam-bugs@gentoo.org Could I ask that nobody touch these two for a moment. There's a few odd bugs that only seem to bite some people, some of the time, and it's an ongoing process tracing them still. > Package: app-text/pdftohtml Herd: printing Maintainer: robbat2@gentoo.org Removed entire package. Was hardmasked since January for security reasons, poppler is the replacement. > Package: app-text/unrtf Herd: no-herd Maintainer: robbat2@gentoo.org Cleaned up two old versions - in 1 month, the latest series can go to stable, and the other two ebuilds in here can get cleaned up. -- Robin Hugh Johnson E-Mail : robbat2@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 [-- Attachment #2: Type: application/pgp-signature, Size: 241 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-28 20:18 ` Robin H. Johnson @ 2006-05-29 1:17 ` Ned Ludd 0 siblings, 0 replies; 22+ messages in thread From: Ned Ludd @ 2006-05-29 1:17 UTC (permalink / raw To: gentoo-dev On Sun, 2006-05-28 at 13:18 -0700, Robin H. Johnson wrote: > On Sun, May 28, 2006 at 02:20:55PM -0400, Ned Ludd wrote: > > Package: net-nds/openldap Herd: ldap Maintainer: ldap-bugs@gentoo.org > We will be keeping the most recent version of each of the major > releases, as there are still people using them for interoperability with > other systems. > > > Package: sys-auth/nss_ldap Herd: no-herd Maintainer: robbat2@gentoo.org > > Package: sys-auth/pam_ldap Herd: pam Maintainer: pam-bugs@gentoo.org > Could I ask that nobody touch these two for a moment. > There's a few odd bugs that only seem to bite some people, some of the > time, and it's an ongoing process tracing them still. You got it. > > Package: app-text/pdftohtml Herd: printing Maintainer: robbat2@gentoo.org > Removed entire package. > Was hardmasked since January for security reasons, poppler is the replacement. > > Package: app-text/unrtf Herd: no-herd Maintainer: robbat2@gentoo.org > Cleaned up two old versions - in 1 month, the latest series can go to > stable, and the other two ebuilds in here can get cleaned up. The tree thanks you :) -- Ned Ludd <solar@gentoo.org> Gentoo Linux -- gentoo-dev@gentoo.org mailing list ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-28 18:20 ` Ned Ludd 2006-05-28 20:18 ` Robin H. Johnson @ 2006-05-29 20:22 ` Chris Gianelloni 2006-06-02 13:15 ` Eldad Zack 2 siblings, 0 replies; 22+ messages in thread From: Chris Gianelloni @ 2006-05-29 20:22 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1072 bytes --] On Sun, 2006-05-28 at 14:20 -0400, Ned Ludd wrote: Package: games-fps/cube Herd: games Maintainer: games This will likely be removed soon, as upstream has abandoned it. Package: games-fps/doomsday Herd: games Maintainer: games Waiting on a new upstream release. Upstream is active, so we expect one some time soon. Package: games-roguelike/falconseye Herd: games Maintainer: games Package: games-roguelike/nethack Herd: games Maintainer: games Package: games-roguelike/slashem Herd: games Maintainer: games These three will be unmasked soon with a changed policy wrt games on portage. Package: games-strategy/scorched3d Herd: games Maintainer: games Waiting for upstream. Basically, we're keeping track of our masked packages as well as we can. There are many times where we don't want to remove the package, knowing that upstream will be coming out with a newer version "any day now" as it tends to upset our users. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
* Re: [gentoo-dev] Security/QA Spring Cleaning 2006-05-28 18:20 ` Ned Ludd 2006-05-28 20:18 ` Robin H. Johnson 2006-05-29 20:22 ` Chris Gianelloni @ 2006-06-02 13:15 ` Eldad Zack 2 siblings, 0 replies; 22+ messages in thread From: Eldad Zack @ 2006-06-02 13:15 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 726 bytes --] On Sunday 28 May 2006 21:20, Ned Ludd wrote: > The following maintainers and maintaining herds are affected by this > in one way or another. This list is still far to large for me want to > file a bug for.. So please do what you can to help narrow this list > down. > > Granted not all cases can be solved easily especially when it's some > misc arch which is forcing you to keep a package in the tree when you > don't want to. For those cases please file an arch stabilization bug > where appropriate. > Package: net-analyzer/nagios-core Herd: netmon Maintainer: eldad@gentoo.org, ramereth@gentoo.org Description: ... Done. -- Eldad Zack <eldad@gentoo.org> Key/Fingerprint at pgp.mit.edu, ID 0x96EA0A93 [-- Attachment #2: Type: application/pgp-signature, Size: 200 bytes --] ^ permalink raw reply [flat|nested] 22+ messages in thread
end of thread, other threads:[~2006-06-02 13:19 UTC | newest] Thread overview: 22+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-05-22 3:02 [gentoo-dev] Security/QA Spring Cleaning Ned Ludd 2006-05-22 5:25 ` Robin H. Johnson 2006-05-22 5:30 ` Brian Harring 2006-05-23 20:22 ` Ned Ludd 2006-05-23 20:44 ` Brian Harring 2006-05-23 22:44 ` Thomas Cort 2006-05-23 20:51 ` Chris Gianelloni 2006-05-23 21:06 ` Brian Harring 2006-05-23 21:46 ` Chris Gianelloni 2006-05-23 22:05 ` Brian Harring 2006-05-23 22:24 ` Chris Gianelloni 2006-05-23 22:36 ` Brian Harring 2006-05-24 4:11 ` Doug Goldstein 2006-05-24 12:06 ` Chris Gianelloni 2006-05-24 12:02 ` Chris Gianelloni 2006-05-23 21:50 ` Ned Ludd 2006-05-23 22:22 ` Chris Gianelloni 2006-05-28 18:20 ` Ned Ludd 2006-05-28 20:18 ` Robin H. Johnson 2006-05-29 1:17 ` Ned Ludd 2006-05-29 20:22 ` Chris Gianelloni 2006-06-02 13:15 ` Eldad Zack
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox