[gentoo-dev] Security/QA Spring Cleaning

[gentoo-dev] Security/QA Spring Cleaning

[Ned Ludd]

ferringb took the time to write a parser and setup a cronjob 
(every 4 hours at the half hour) to parse over our GLSA's and see what 
pkgs remain in the tree and have nothing but newer versions stable. I
did a bit of re parsing on his logfile to obtain herds & maintainers.
The list is big (very big) and like if I filed the bug in it's current
state pretty much every single one of us would probably get dozens of
mails per comment. So.. To in order to try and be nice to our mail
system and bugzilla it would be really helpful if you all could grep
the affected: field and flush old vulnerable ebuilds from the tree for
any pkgs you or your herd maintain before the tracker bug is filed.

http://gentooexperimental.org/~ferringb/reports/tree-vulnerabilities.log

In the future if you are bumping pkgs for a security bug and you are 
the last arch to push to stable. Clean up old foo up please. 
It keeps everything running smoother and faster to have less 
dead cruft in the tree.

You can use earch for this task.

wget -O /usr/local/bin/earch -q \ 
 http://dev.gentoo.org/~robbat2/earch-0.9.1 \
 && chmod +x /usr/local/bin/earch 
It helps to make it a habit to run this before repoman --pretend scan
prior to committing to the tree.

thanks in advance.

-- 
Ned Ludd <solar@gentoo.org>
All over the place
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Security/QA Spring Cleaning

[Robin H. Johnson]

On Sun, May 21, 2006 at 11:02:22PM -0400, Ned Ludd wrote:
> ferringb took the time to write a parser and setup a cronjob 
> (every 4 hours at the half hour) to parse over our GLSA's and see what 
> pkgs remain in the tree and have nothing but newer versions stable. I
[snip]

Just because old versions exist, doesn't strictly mean that they are
safe to remove - some of them may be in the tree because other packages
block the newer versions.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Security/QA Spring Cleaning

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 932 bytes --]

No need to cc, I'm on the ml (realize the norm is to cc, but no point 
in spamming me twice ;)

On Sun, May 21, 2006 at 10:25:12PM -0700, Robin H. Johnson wrote:
> On Sun, May 21, 2006 at 11:02:22PM -0400, Ned Ludd wrote:
> > ferringb took the time to write a parser and setup a cronjob 
> > (every 4 hours at the half hour) to parse over our GLSA's and see what 
> > pkgs remain in the tree and have nothing but newer versions stable. I
> [snip]
> 
> Just because old versions exist, doesn't strictly mean that they are
> safe to remove - some of them may be in the tree because other packages
> block the newer versions.

Given, but vulnerable pkgs should be on the way out of the tree- this 
is strictly matching of what's vulnerable.

Not dug into the revdeps, but wouldn't be surprised if at least 25% of 
what's being matched by the vulnerability queries is just cruft that 
never got removed.

~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Ned Ludd]

And now per arch breakdowns.
http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/


On Sun, 2006-05-21 at 23:02 -0400, Ned Ludd wrote:
> ferringb took the time to write a parser and setup a cronjob 
> (every 4 hours at the half hour) to parse over our GLSA's and see what 
> pkgs remain in the tree and have nothing but newer versions stable. I
> did a bit of re parsing on his logfile to obtain herds & maintainers.
> The list is big (very big) and like if I filed the bug in it's current
> state pretty much every single one of us would probably get dozens of
> mails per comment. So.. To in order to try and be nice to our mail
> system and bugzilla it would be really helpful if you all could grep
> the affected: field and flush old vulnerable ebuilds from the tree for
> any pkgs you or your herd maintain before the tracker bug is filed.
> 
> http://gentooexperimental.org/~ferringb/reports/tree-vulnerabilities.log
> 
> In the future if you are bumping pkgs for a security bug and you are 
> the last arch to push to stable. Clean up old foo up please. 
> It keeps everything running smoother and faster to have less 
> dead cruft in the tree.
> 
> You can use earch for this task.
> 
> wget -O /usr/local/bin/earch -q \ 
>  http://dev.gentoo.org/~robbat2/earch-0.9.1 \
>  && chmod +x /usr/local/bin/earch 
> It helps to make it a habit to run this before repoman --pretend scan
> prior to committing to the tree.
> 
> thanks in advance.
> 
> -- 
> Ned Ludd <solar@gentoo.org>
> All over the place
> Gentoo Linux
> 
-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Security/QA Spring Cleaning

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 851 bytes --]

On Tue, May 23, 2006 at 04:22:30PM -0400, Ned Ludd wrote:
> And now per arch breakdowns.
> http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/

Couple more reports generated (in the parent dir, dropped keywords, 
imlate, packages that have just ~arch, ebuild metadata verification, 
and "ebuild has been unstable for arch X for greater then N days).

Any other requests in terms of report generation, give 
a yell.  The bzr repo for it is at 
http://gentooexperimental.org/~ferringb/bzr/test-runner/

Adding a new test is easy enough- or if you're after making it pretty 
(feel free to, not my cup 'o tea), go nuts- the reports started out as 
just testing of the GLSA vulnerable pkgset in pkgcore.

Reports are regenerated every 4 hours- patrick would be the one to ask 
about making it more frequent.

~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 598 bytes --]

On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote:
> And now per arch breakdowns.
> http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/

No offense, but that isn't exactly useful in its current form.  For
example, x86 shows *all* of the packages, even ones where it has a
non-vulnerable version stable.  I guess a breakdown of which
architectures still do not have a version *higher* than the ones listed
by the GLSA stable would be necessary instead.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote:
> On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote:
> > And now per arch breakdowns.
> > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/
> 
> No offense, but that isn't exactly useful in its current form.  For
> example, x86 shows *all* of the packages, even ones where it has a
> non-vulnerable version stable.
> I guess a breakdown of which
> architectures still do not have a version *higher* than the ones listed
> by the GLSA stable would be necessary instead.

You're ignoring the fact that ebuilds can and do specify version 
ranges that result in portage using something other then the highest- 
the report is a listing of "these pkgs are vulnerable according to 
glsas", the arch-vulns is just a view of that with stable/unstable for 
that arch collapsed into one.

In other words... having a version stable that isn't affected by the 
glsa, good and grand, but the ebuilds sitting in the tree are *still* 
vulnerable.

Splitting off a stable vs unstable is doable, but the intention of 
that report is to spell out which packages in the tree are vulnerable, 
thus in need of getting the boot.

~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1968 bytes --]

On Tue, 2006-05-23 at 14:06 -0700, Brian Harring wrote:
> On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote:
> > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote:
> > > And now per arch breakdowns.
> > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/
> > 
> > No offense, but that isn't exactly useful in its current form.  For
> > example, x86 shows *all* of the packages, even ones where it has a
> > non-vulnerable version stable.
> > I guess a breakdown of which
> > architectures still do not have a version *higher* than the ones listed
> > by the GLSA stable would be necessary instead.
> 
> You're ignoring the fact that ebuilds can and do specify version 
> ranges that result in portage using something other then the highest- 
> the report is a listing of "these pkgs are vulnerable according to 
> glsas", the arch-vulns is just a view of that with stable/unstable for 
> that arch collapsed into one.
> 
> In other words... having a version stable that isn't affected by the 
> glsa, good and grand, but the ebuilds sitting in the tree are *still* 
> vulnerable.
> 
> Splitting off a stable vs unstable is doable, but the intention of 
> that report is to spell out which packages in the tree are vulnerable, 
> thus in need of getting the boot.

I completely understand this.  However, in most cases the reason the
older packages are still in the tree is because *somebody* doesn't have
it stable yet.  If we knew which arch(es) didn't have a non-vulnerable
version stable, then we could either remove the version, as it is no
longer needed, or determine who needs to catch up on keywording.  As it
stands now, there's a huge number of packages listed for x86, where x86
can't necessarily do anything because someone else might not have a
newer version stable.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Ned Ludd]

On Tue, 2006-05-23 at 16:51 -0400, Chris Gianelloni wrote:
> On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote:
> > And now per arch breakdowns.
> > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/
> 
> No offense, but that isn't exactly useful in its current form.  

heh.

> For
> example, x86 shows *all* of the packages, even ones where it has a
> non-vulnerable version stable.

Yeah that's is the point of this spring cleaning round.

> I guess a breakdown of which
> architectures still do not have a version *higher* than the ones listed
> by the GLSA stable would be necessary instead.

s/necessary/'ideal for Chris'/

Feel free to fire off a request to ferringb.
He is trying to be helpful here and I'm all for taking 
advantage of that.


-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Security/QA Spring Cleaning

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 415 bytes --]

On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote:
> I completely understand this.  However, in most cases the reason the
> older packages are still in the tree is because *somebody* doesn't have
> it stable yet.

Strictly stable, or unstable?  

What about profiles, which to account for?  Stable (keyword) doesn't 
mean visible (profile p.mask or global p.mask), scan 'em all?

~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 518 bytes --]

On Tue, 2006-05-23 at 17:50 -0400, Ned Ludd wrote:
> Feel free to fire off a request to ferringb.
> He is trying to be helpful here and I'm all for taking 
> advantage of that.

Oh, absolutely.  I didn't mean to come across sounding like I wasn't
grateful for the information he's providing.  I was merely making a
suggestion on how it could have been better and I guess it came out
wrong.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 926 bytes --]

On Tue, 2006-05-23 at 15:05 -0700, Brian Harring wrote:
> On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote:
> > I completely understand this.  However, in most cases the reason the
> > older packages are still in the tree is because *somebody* doesn't have
> > it stable yet.
> 
> Strictly stable, or unstable?

I guess in this case, we would want both, so we can tell who's where.

> What about profiles, which to account for?  Stable (keyword) doesn't 
> mean visible (profile p.mask or global p.mask), scan 'em all?

I wouldn't scan anything that isn't "stable" or "dev" in profiles.desc,
at all.

By the way, thanks for this information.  Things like this really do
help us clean up the tree and it is appreciated, even if my tone doesn't
always come across that way.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 1604 bytes --]

On Tue, May 23, 2006 at 06:24:31PM -0400, Chris Gianelloni wrote:
> On Tue, 2006-05-23 at 15:05 -0700, Brian Harring wrote:
> > On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote:
> > > I completely understand this.  However, in most cases the reason the
> > > older packages are still in the tree is because *somebody* doesn't have
> > > it stable yet.
> > 
> > Strictly stable, or unstable?
> 
> I guess in this case, we would want both, so we can tell who's where.
> 
> > What about profiles, which to account for?  Stable (keyword) doesn't 
> > mean visible (profile p.mask or global p.mask), scan 'em all?
> 
> I wouldn't scan anything that isn't "stable" or "dev" in profiles.desc,
> at all.

Commented in #-security about it, but any reason that arches don't yank 
their keywords from insecure ebuilds after they've stabled a 
replacement?

For example, app-arch/unarj-2.63a-r1 is vulnerable to glsa 200411-29; 
2.63a-r2 was stabled 18 months ago, yet the vulnerable version remains 
visible to x86 stable users- any reason arches don't drop keywords 
from vulnerable versions after their stable replacement has proven 
itself (few weeks, whatever timeline people prefer).

Will generate a report for what you're asking, but tbh, bit curious 
why arches don't just pull their keywording from bad ebuilds- ebuild 
is going to be removed as soon as all arches have a stable 
replacement, so all it's accomplishing is leaving a vulnerable ebuild 
accessible for longer.

That said, also requires more work- so... just a thought, that one. :)
~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Thomas Cort]

[-- Attachment #1: Type: text/plain, Size: 944 bytes --]

On Tue, 23 May 2006 13:44:09 -0700
Brian Harring <ferringb@gmail.com> wrote:
> Couple more reports generated (in the parent dir, dropped keywords, 
> imlate, packages that have just ~arch, ebuild metadata verification, 
> and "ebuild has been unstable for arch X for greater then N days).

Seems like we have a lot of people generating reports....

aliz
	http://gentoo.tamperd.net/stable/

blubb
	http://blubb.ch/gentoo/amd64/

tcort
	http://dev.gentoo.org/~tcort/imlate/
	http://dev.gentoo.org/~tcort/dropped/

ferringb:
	http://gentooexperimental.org/~ferringb/reports/

halcy0n:
	http://dev.gentoo.org/~halcy0n/imlate/
	http://dev.gentoo.org/~halcy0n/keyword-moves/ 

hansmi:
	recently sent the output of imlate.py to amd64@g.o

Would it be possible to get a centralized place for all of this stuff?
Could a reports.gentoo.org or something similar be setup to run
scripts/programs every hour or two?

~tcort

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Doug Goldstein]

[-- Attachment #1: Type: text/plain, Size: 763 bytes --]

Brian Harring wrote:
> 
> Commented in #-security about it, but any reason that arches don't yank 
> their keywords from insecure ebuilds after they've stabled a 
> replacement?
> 

Brian,

I asked about this VERY same thing a long while back and at best I
received "Because person X said no." So you ask X and they say the
person that sent you to them said no.

The only argument against it was that it'd break the depend tree if
package Y depends on version <=0.99 of package X and versions > 1.0 of X
are vulnerability free.

My opinion is "snap, crackle, and pop"... let the tree break. But better
yet... figure out what depends on package X <=1.0 and p.mask it.

-- 
Doug Goldstein <cardoe@gentoo.org>
http://dev.gentoo.org/~cardoe/


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1327 bytes --]

On Tue, 2006-05-23 at 15:36 -0700, Brian Harring wrote:
> On Tue, May 23, 2006 at 06:24:31PM -0400, Chris Gianelloni wrote:
> > On Tue, 2006-05-23 at 15:05 -0700, Brian Harring wrote:
> > > On Tue, May 23, 2006 at 05:46:09PM -0400, Chris Gianelloni wrote:
> > > > I completely understand this.  However, in most cases the reason the
> > > > older packages are still in the tree is because *somebody* doesn't have
> > > > it stable yet.
> > > 
> > > Strictly stable, or unstable?
> > 
> > I guess in this case, we would want both, so we can tell who's where.
> > 
> > > What about profiles, which to account for?  Stable (keyword) doesn't 
> > > mean visible (profile p.mask or global p.mask), scan 'em all?
> > 
> > I wouldn't scan anything that isn't "stable" or "dev" in profiles.desc,
> > at all.
> 
> Commented in #-security about it, but any reason that arches don't yank 
> their keywords from insecure ebuilds after they've stabled a 
> replacement?

Honestly, I see no reason why we couldn't do that.  It would add a tiny
bit more work, really, so that shouldn't be much of an issue.  It would
then allow us to easily see who is affected by what, with your current
reports.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 477 bytes --]

On Wed, 2006-05-24 at 00:11 -0400, Doug Goldstein wrote:
> My opinion is "snap, crackle, and pop"... let the tree break. But better
> yet... figure out what depends on package X <=1.0 and p.mask it.

Umm... anything that depends on the package in question *should* be
getting masked.  There's no opinion to it.  Breaking the tree is a
definite no-no.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Ned Ludd]

[-- Attachment #1: Type: text/plain, Size: 1511 bytes --]

The following maintainers and maintaining herds are affected by this 
in one way or another. This list is still far to large for me want to 
file a bug for.. So please do what you can to help narrow this list 
down.

Granted not all cases can be solved easily especially when it's some 
misc arch which is forcing you to keep a package in the tree when you 
don't want to. For those cases please file an arch stabilization bug 
where appropriate.

Thanks in advance.
---------------------------------------------------------

aliz
amd64
antivirus
apache
apache-bugs
avenj
base-system
bug-wranglers
carlo
chrb
cjk
cluster
crypto
dang
desktop-misc
dju
dmwaters
eldad
emacs
eradicator
exg
flameeyes
games
gimli
gnome
gnome-office
graphics
hadfield
humpback
java
ka0ttic
kde
kernel
kloeri
lanius
latexer
lcars
ldap
ldap-bugs
liquidx
lu_zero
maintainer-needed
maintainer-wanted
malenko
malverian
media-gfx
media-video
mkay
ml
mozilla
mysql
nerdboy
net-dialup
net-fs
net-im
net-irc
net-mail
net-p2p
net-zope
netmon
no-herd
obz
pam
pam-bugs
perl
php
postgresql
printing
python
ramereth
robbat2
sekretarz
shell-tools
slarti
smithj
sound
spock
stkn
svyatogor
tantive
taviso
tchiwam
text-markup
toolchain
trapni
usata
vapier
video
voip
vserver
vserver-devs
web-apps
wine
wschlich
www-servers
x86-kernel
xemacs



On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote:
> And now per arch breakdowns.
> http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/

[snip]

-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

[-- Attachment #2: Type: application/x-shellscript, Size: 934 bytes --]

[-- Attachment #3: meta.log --]
[-- Type: text/x-log, Size: 11401 bytes --]

Package: app-admin/gtkdiskfree Herd: no-herd Maintainer: no-herd Description: ...
Package: app-admin/webmin Herd: no-herd Maintainer: eradicator@gentoo.org
Package: app-antivirus/clamav Herd: net-mail, antivirus Maintainer: net-mail, antivirus
Package: app-arch/rar Herd: no-herd Maintainer: aliz@gentoo.org
Package: app-arch/star Herd: shell-tools Maintainer: slarti@gentoo.org
Package: app-arch/unarj Herd: no-herd Maintainer: maintainer-wanted@gentoo.org Description: ...
Package: app-arch/zoo Herd: no-herd Maintainer: bug-wranglers@gentoo.org
Package: app-crypt/gnupg Herd: crypto Maintainer: crypto@gentoo.org Description: ...
Package: app-doc/chmlib Herd: no-herd Maintainer: svyatogor@gentoo.org
Package: app-editors/emacs Herd: emacs Maintainer: emacs
Package: app-editors/gedit Herd: gnome Maintainer: gnome
Package: app-editors/xemacs Herd: xemacs Maintainer: xemacs@gentoo.org
Package: app-emulation/wine Herd: wine Maintainer: wine Description: ...
Package: app-misc/lcdproc Metadata: missing? candidate for tree removal ChangeLog: 5 aliz, 4 agriffis, 3 avenj, 2 plasmaroo, 2 latexer, 2 mr_bones_, 1 hansmi, 1 msterret, 1 gustavoz, 1 josejx, 1 vapier, 1 gbevin, 
Package: app-misc/mc Herd: no-herd Maintainer: lanius@gentoo.org
Package: app-office/abiword Herd: gnome-office Maintainer: gnome-office
Package: app-office/dia Herd: gnome-office Maintainer: gnome-office Description: ...
Package: app-office/koffice Herd: kde Maintainer: kde
Package: app-office/kword Herd: kde Maintainer: kde
Package: app-text/acroread Herd: printing Maintainer: printing
Package: app-text/cstetex Herd: text-markup Maintainer: malenko@email.cz
Package: app-text/gpdf Herd: gnome Maintainer: gnome
Package: app-text/pdftohtml Herd: printing Maintainer: robbat2@gentoo.org
Package: app-text/pstotext Herd: text-markup Maintainer: text-markup
Package: app-text/ptex Herd: text-markup, cjk Maintainer: usata@gentoo.org Description: ...
Package: app-text/tetex Herd: text-markup Maintainer: text-markup
Package: app-text/unrtf Herd: no-herd Maintainer: robbat2@gentoo.org
Package: dev-db/mysql Herd: mysql Maintainer: mysql
Package: dev-db/postgresql Herd: postgresql Maintainer: postgresql
Package: dev-java/blackdown-jdk Herd: java Maintainer: java
Package: dev-java/blackdown-jre Herd: java Maintainer: java
Package: dev-java/sun-jdk Herd: java Maintainer: java Description: ...
Package: dev-lang/perl Herd: perl Maintainer: perl@gentoo.org
Package: dev-lang/php Herd: php Maintainer: php
Package: dev-lang/python Herd: python Maintainer: liquidx@gentoo.org
Package: dev-libs/cyrus-sasl Herd: net-mail Maintainer: net-mail
Package: dev-libs/libpcre Herd: no-herd Maintainer: carlo@gentoo.org
Package: dev-libs/libtasn1 Herd: crypto Maintainer: crypto@gentoo.org, liquidx@gentoo.org
Package: dev-libs/openssl Herd: base-system Maintainer: base-system
Package: dev-libs/pwlib Herd: voip, gnome Maintainer: stkn@gentoo.org
Package: dev-ml/ocaml-mysql Herd: ml Maintainer: ml
Package: dev-python/mod_python Herd: python, apache Maintainer: python, apache Description: ...
Package: dev-python/py2play Herd: python, games Maintainer: python, games
Package: games-fps/cube Herd: games Maintainer: games
Package: games-fps/doomsday Herd: games Maintainer: games
Package: games-roguelike/falconseye Herd: games Maintainer: games
Package: games-roguelike/nethack Herd: games Maintainer: games
Package: games-roguelike/slashem Herd: games Maintainer: games
Package: games-strategy/scorched3d Herd: games Maintainer: games
Package: kde-base/kdegraphics Herd: kde Maintainer: kde
Package: kde-base/kdelibs Herd: kde Maintainer: kde
Package: kde-base/kpdf Herd: kde Maintainer: kde
Package: mail-client/evolution Herd: gnome-office Maintainer: obz@gentoo.org, liquidx@gentoo.org
Package: mail-client/mozilla-thunderbird Herd: mozilla Maintainer: mozilla
Package: mail-client/mozilla-thunderbird-bin Herd: mozilla Maintainer: mozilla
Package: mail-mta/sendmail Herd: net-mail Maintainer: lcars@gentoo.org
Package: mail-mta/xmail Herd: net-mail Maintainer: net-mail
Package: media-gfx/blender Herd: graphics Maintainer: malverian@gentoo.org, lu_zero@gentoo.org Description: ...
Package: media-gfx/fbida Herd: no-herd Maintainer: spock@gentoo.org
Package: media-gfx/graphicsmagick Herd: Error (No Herd) Maintainer: kloeri@gentoo.org
Package: media-gfx/imagemagick Herd: graphics Maintainer: sekretarz@gentoo.org
Package: media-gfx/pngcrush Herd: no-herd Maintainer: no-herd
Package: media-gfx/xli Herd: no-herd Maintainer: no-herd
Package: media-gfx/xv Herd: no-herd Maintainer: taviso@gentoo.org
Package: media-gfx/xzgv Herd: no-herd Maintainer: smithj@gentoo.org
Package: media-gfx/zgv Herd: no-herd Maintainer: no-herd
Package: media-libs/gdk-pixbuf Herd: gnome Maintainer: gnome
Package: media-libs/giflib Herd: graphics Maintainer: graphics
Package: media-libs/libcdaudio Herd: no-herd Maintainer: no-herd
Package: media-libs/netpbm Herd: media-gfx Maintainer: graphics@gentoo.org
Package: media-libs/pdflib Herd: no-herd Maintainer: maintainer-needed@gentoo.org
Package: media-libs/tiff Herd: graphics Maintainer: nerdboy@gentoo.org Description: ...
Package: media-libs/xine-lib Herd: video Maintainer: flameeyes@gentoo.org Description: ...
Package: media-sound/gnump3d Herd: sound Maintainer: sound
Package: media-sound/mpg321 Herd: sound Maintainer: sound
Package: media-sound/peercast Herd: sound Maintainer: sound
Package: media-video/ffmpeg Herd: video Maintainer: media-video@gentoo.org
Package: media-video/mplayer Herd: video Maintainer: media-video@gentoo.org
Package: media-video/mplayer-bin Herd: amd64 Maintainer: dang@gentoo.org
Package: media-video/realplayer Herd: video Maintainer: media-video@gentoo.org
Package: net-analyzer/cacti Herd: netmon Maintainer: ramereth@gentoo.org Description: ...
Package: net-analyzer/ethereal Herd: netmon Maintainer: netmon Description: ...
Package: net-analyzer/nagios-core Herd: netmon Maintainer: eldad@gentoo.org, ramereth@gentoo.org Description: ...
Package: net-dns/dnsmasq Herd: no-herd Maintainer: avenj@gentoo.org
Package: net-dns/pdnsd Herd: net-dialup Maintainer: net-dialup Description: ...
Package: net-firewall/firehol Herd: Error (No Herd) Maintainer: centic@gentoo.org
Package: net-firewall/ipsec-tools Herd: no-herd Maintainer: latexer@gentoo.org
Package: net-fs/ncpfs Herd: net-fs Maintainer: net-fs Description: ...
Package: net-ftp/ftpd Metadata: missing? candidate for tree removal ChangeLog: 3 raker, 3 weeve, 3 seemant, 2 blubb, 2 agriffis, 2 dragonheart, 1 halcy0n, 1 swegener, 1 absinthe, 1 dholm, 1 mholzer, 1 yoswink, 
Package: net-ftp/gproftpd Herd: no-herd Maintainer: bug-wranglers@gentoo.org
Package: net-im/centericq Herd: net-im Maintainer: wschlich@gentoo.org Description: ...
Package: net-im/ekg Herd: net-im Maintainer: spock@gentoo.org
Package: net-im/kadu Herd: net-im Maintainer: mkay@gentoo.org
Package: net-im/linpopup Metadata: missing? candidate for tree removal ChangeLog: 3 mholzer, 2 vapier, 1 agriffis, 1 SeJo, 1 aliz, 
Package: net-irc/xchat Herd: net-irc Maintainer: net-irc
Package: net-libs/gecko-sdk Herd: mozilla Maintainer: mozilla
Package: net-libs/gnutls Herd: crypto Maintainer: crypto@gentoo.org, liquidx@gentoo.org
Package: net-libs/libgadu Herd: net-im Maintainer: sekretarz@gentoo.org
Package: net-libs/openslp Herd: printing Maintainer: liquidx@gentoo.org
Package: net-mail/metamail Herd: net-mail Maintainer: net-mail
Package: net-misc/axel Metadata: missing? candidate for tree removal ChangeLog: 1 hansmi, 1 squinky86, 1 ka0ttic, 1 j4rg0n, 1 taviso, 1 phoenix, 1 swegener, 1 agriffis, 1 tgall, 1 dragonheart, 1 cryos, 1 manson, 1 gustavoz, 1 dholm, 1 corsair, 1 mr_bones_, 1 stroke, 
Package: net-misc/curl Herd: no-herd Maintainer: liquidx@gentoo.org
Package: net-misc/hashcash Herd: no-herd Maintainer: kloeri@gentoo.org
Package: net-misc/openssh Herd: base-system Maintainer: lcars@gentoo.org Description: ...
Package: net-misc/proxytunnel Metadata: missing? candidate for tree removal ChangeLog: 5 vapier, 2 sbriesen, 1 antarus, 1 klieber, 1 solar, 1 squinky86, 1 dholm, 
Package: net-misc/rsync Herd: base-system Maintainer: base-system
Package: net-misc/zebedee Metadata: missing? candidate for tree removal ChangeLog: 3 seemant, 2 alron, 2 agriffis, 1 yoswink, 1 randy, 1 ciaranm, 1 vanquirius, 1 kloeri, 
Package: net-nds/openldap Herd: ldap Maintainer: ldap-bugs@gentoo.org
Package: net-p2p/limewire Herd: net-p2p Maintainer: net-p2p
Package: net-print/cups Herd: printing Maintainer: printing
Package: net-www/apache Herd: apache Maintainer: apache-bugs@gentoo.org Description: ...
Package: net-www/awstats Herd: web-apps Maintainer: ka0ttic@gentoo.org
Package: net-www/mod_auth_pgsql Herd: postgresql, apache Maintainer: postgresql, apache
Package: net-www/mod_dav Herd: apache Maintainer: apache-bugs@gentoo.org
Package: net-www/mod_ssl Herd: apache Maintainer: apache-bugs@gentoo.org
Package: net-www/netscape-flash Herd: no-herd Maintainer: no-herd
Package: net-zope/zope Herd: net-zope Maintainer: net-zope
Package: sys-apps/groff Herd: base-system Maintainer: base-system
Package: sys-auth/nss_ldap Herd: no-herd Maintainer: robbat2@gentoo.org
Package: sys-auth/pam_ldap Herd: pam Maintainer: pam-bugs@gentoo.org
Package: sys-block/nbd Herd: base-system Maintainer: base-system
Package: sys-cluster/heartbeat Herd: cluster Maintainer: cluster@gentoo.org Description: ...
Package: sys-cluster/openmosixview Herd: cluster Maintainer: tantive@gentoo.org
Package: sys-devel/binutils Herd: toolchain Maintainer: toolchain
Package: sys-devel/flex Herd: base-system Maintainer: base-system
Package: sys-devel/gdb Herd: toolchain Maintainer: toolchain
Package: sys-kernel/vanilla-sources Herd: x86-kernel Maintainer: x86-kernel@gentoo.org Description: ...
Package: sys-kernel/vserver-sources Herd: vserver Maintainer: vserver-devs@gentoo.org Description: ...
Package: sys-kernel/xbox-sources Herd: x86-kernel, kernel Maintainer: chrb@gentoo.org, gimli@gentoo.org Description: ...
Package: sys-libs/glibc Herd: toolchain Maintainer: toolchain
Package: www-apache/libapreq2 Herd: perl Maintainer: perl@gentoo.org
Package: www-apps/horde Herd: web-apps Maintainer: vapier@gentoo.org Description: ...
Package: www-apps/mediawiki Herd: web-apps Maintainer: trapni@gentoo.org, tchiwam@gentoo.org
Package: www-apps/trac Herd: web-apps Maintainer: dju@gentoo.org
Package: www-apps/twiki Herd: web-apps Maintainer: web-apps@gentoo.org
Package: www-client/dillo Herd: no-herd Maintainer: usata@gentoo.org
Package: www-client/lynx Herd: no-herd Maintainer: dmwaters@gentoo.org, hadfield@gentoo.org
Package: www-client/mozilla Herd: mozilla Maintainer: mozilla
Package: www-client/mozilla-bin Herd: mozilla Maintainer: mozilla
Package: www-client/mozilla-firefox Herd: mozilla Maintainer: mozilla
Package: www-client/mozilla-firefox-bin Herd: mozilla Maintainer: mozilla
Package: www-client/prozilla Herd: no-herd Maintainer: humpback@gentoo.org
Package: www-servers/monkeyd Herd: www-servers Maintainer: www-servers
Package: x11-libs/lesstif Herd: no-herd Maintainer: lanius@gentoo.org
Package: x11-libs/libast Herd: no-herd Maintainer: vapier@gentoo.org Description: ...
Package: x11-libs/openmotif Herd: no-herd Maintainer: lanius@gentoo.org
Package: x11-misc/xnview Herd: desktop-misc Maintainer: desktop-misc
Package: x11-terms/rxvt-unicode Herd: no-herd Maintainer: latexer@gentoo.org, exg@gentoo.org

Re: [gentoo-dev] Security/QA Spring Cleaning

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]

On Sun, May 28, 2006 at 02:20:55PM -0400, Ned Ludd wrote:
> Package: net-nds/openldap Herd: ldap Maintainer: ldap-bugs@gentoo.org
We will be keeping the most recent version of each of the major
releases, as there are still people using them for interoperability with
other systems.

> Package: sys-auth/nss_ldap Herd: no-herd Maintainer: robbat2@gentoo.org
> Package: sys-auth/pam_ldap Herd: pam Maintainer: pam-bugs@gentoo.org
Could I ask that nobody touch these two for a moment.
There's a few odd bugs that only seem to bite some people, some of the
time, and it's an ongoing process tracing them still.

> Package: app-text/pdftohtml Herd: printing Maintainer: robbat2@gentoo.org
Removed entire package.
Was hardmasked since January for security reasons, poppler is the replacement.

> Package: app-text/unrtf Herd: no-herd Maintainer: robbat2@gentoo.org
Cleaned up two old versions - in 1 month, the latest series can go to
stable, and the other two ebuilds in here can get cleaned up.

-- 
Robin Hugh Johnson
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85

[-- Attachment #2: Type: application/pgp-signature, Size: 241 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Ned Ludd]

On Sun, 2006-05-28 at 13:18 -0700, Robin H. Johnson wrote:
> On Sun, May 28, 2006 at 02:20:55PM -0400, Ned Ludd wrote:
> > Package: net-nds/openldap Herd: ldap Maintainer: ldap-bugs@gentoo.org
> We will be keeping the most recent version of each of the major
> releases, as there are still people using them for interoperability with
> other systems.
> 
> > Package: sys-auth/nss_ldap Herd: no-herd Maintainer: robbat2@gentoo.org
> > Package: sys-auth/pam_ldap Herd: pam Maintainer: pam-bugs@gentoo.org
> Could I ask that nobody touch these two for a moment.
> There's a few odd bugs that only seem to bite some people, some of the
> time, and it's an ongoing process tracing them still.

You got it.

> > Package: app-text/pdftohtml Herd: printing Maintainer: robbat2@gentoo.org
> Removed entire package.
> Was hardmasked since January for security reasons, poppler is the replacement.

> > Package: app-text/unrtf Herd: no-herd Maintainer: robbat2@gentoo.org
> Cleaned up two old versions - in 1 month, the latest series can go to
> stable, and the other two ebuilds in here can get cleaned up.

The tree thanks you :)


-- 
Ned Ludd <solar@gentoo.org>
Gentoo Linux

-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Security/QA Spring Cleaning

[Chris Gianelloni]

[-- Attachment #1: Type: text/plain, Size: 1072 bytes --]

On Sun, 2006-05-28 at 14:20 -0400, Ned Ludd wrote:

Package: games-fps/cube Herd: games Maintainer: games

This will likely be removed soon, as upstream has abandoned it.

Package: games-fps/doomsday Herd: games Maintainer: games

Waiting on a new upstream release.  Upstream is active, so we expect one
some time soon.

Package: games-roguelike/falconseye Herd: games Maintainer: games
Package: games-roguelike/nethack Herd: games Maintainer: games
Package: games-roguelike/slashem Herd: games Maintainer: games

These three will be unmasked soon with a changed policy wrt games on
portage.

Package: games-strategy/scorched3d Herd: games Maintainer: games

Waiting for upstream.

Basically, we're keeping track of our masked packages as well as we can.
There are many times where we don't want to remove the package, knowing
that upstream will be coming out with a newer version "any day now" as
it tends to upset our users.

-- 
Chris Gianelloni
Release Engineering - Strategic Lead
x86 Architecture Team
Games - Developer
Gentoo Linux

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Security/QA Spring Cleaning

[Eldad Zack]

[-- Attachment #1: Type: text/plain, Size: 726 bytes --]

On Sunday 28 May 2006 21:20, Ned Ludd wrote:
> The following maintainers and maintaining herds are affected by this
> in one way or another. This list is still far to large for me want to
> file a bug for.. So please do what you can to help narrow this list
> down.
>
> Granted not all cases can be solved easily especially when it's some
> misc arch which is forcing you to keep a package in the tree when you
> don't want to. For those cases please file an arch stabilization bug
> where appropriate.

> Package: net-analyzer/nagios-core Herd: netmon Maintainer: eldad@gentoo.org, 
ramereth@gentoo.org Description: ...
Done.

-- 
Eldad Zack <eldad@gentoo.org>
Key/Fingerprint at pgp.mit.edu, ID 0x96EA0A93

[-- Attachment #2: Type: application/pgp-signature, Size: 200 bytes --]