From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-dev+bounces-15522-garchives=archives.gentoo.org@gentoo.org>)
	id 1G8avb-00045a-Is
	for garchives@archives.gentoo.org; Thu, 03 Aug 2006 10:59:48 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.13.7/8.13.6) with SMTP id k73Awta8004371;
	Thu, 3 Aug 2006 10:58:55 GMT
Received: from aaa.dk (blackhole.aaa.dk [212.130.128.53])
	by robin.gentoo.org (8.13.7/8.13.6) with ESMTP id k73Av7YM023067
	for <gentoo-dev@lists.gentoo.org>; Thu, 3 Aug 2006 10:57:07 GMT
Received: from dundershields (dundershields.dyn.ph.auh.dk [10.16.48.22])
	by aaa.dk with ESMTP; Thu, 03 Aug 2006 12:57:04 +0200
From: Sune Kloppenborg Jeppesen <jaervosz@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Project Sunrise resumed again (was Resignation)
Date: Thu, 3 Aug 2006 13:00:49 +0200
User-Agent: KMail/1.9.3
References: <eabcs0$j25$1@sea.gmane.org> <200608022005.16242.carlo@gentoo.org> <20060803025651.GA13458@seldon>
In-Reply-To: <20060803025651.GA13458@seldon>
Organization: Gentoo Linux Security Team
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-6"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200608031300.50004.jaervosz@gentoo.org>
X-Archives-Salt: 0653e66c-d962-4bf2-9efe-64889a8fe2af
X-Archives-Hash: 07b46f2b98dc75336228026b99fd0834

On Thursday 03 August 2006 04:56, Brian Harring wrote:
<snipped alot>
> Besides... frankly it's kind of BS to push the vuln angle onto sunrise
> when gentoo can't even clean out years old vulnerable packages from
> gentoo-x86 (that doesn't absolve sunrise from having to watch it, nor
> a potshot at the understaffed security team, merely that double
> standards suck).
Just to clarify: AFAIR it has never been policy to remove vulnerable ebuilds. 

The Security Team leaves that up to the maintainers. For some issues it does 
make sense to keep vulnerable ebuilds in the tree (ie. latest Apache (GLSA 
200608-01, when not using mod_rewrite).

-- 
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team
http://security.gentoo.org
-- 
gentoo-dev@gentoo.org mailing list