From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HXmKB-0002h6-Mi for garchives@archives.gentoo.org; Sat, 31 Mar 2007 22:45:32 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l2VMhj9d013538; Sat, 31 Mar 2007 22:43:45 GMT Received: from outmail1.freedom2surf.net (outmail1.freedom2surf.net [194.106.33.237]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l2VMdXg7006493 for ; Sat, 31 Mar 2007 22:39:33 GMT Received: from snowflake (82-41-57-20.cable.ubr08.edin.blueyonder.co.uk [82.41.57.20]) by outmail1.freedom2surf.net (Postfix) with ESMTP id B43C550C43 for ; Sat, 31 Mar 2007 23:39:33 +0100 (BST) Date: Sat, 31 Mar 2007 23:39:40 +0100 From: Ciaran McCreesh To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: [soc] Python bindings for Paludis Message-ID: <20070331233940.1cbf0a71@snowflake> In-Reply-To: References: <200703240028.15461.peper@gentoo.org> <200703271519.29674.vapier@gentoo.org> <20070327211510.0b426e09@snowflake> <200703301404.16400.vapier@gentoo.org> <20070331201602.3e50b815@Kacian2.emea.hpqcorp.net> <1175369043.5961.30.camel@localhost> <20070331203957.0ce015bd@blashyrk> X-Mailer: Claws Mail 2.8.1 (GTK+ 2.10.9; i686-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; boundary=Sig_ataPNqTkr6M8KljG2.3744d; protocol="application/pgp-signature"; micalg=PGP-SHA1 X-Archives-Salt: fc5c7b7e-7b6d-4ddd-ba91-b11887d0c4c1 X-Archives-Hash: 6ae30ef998d963266870e4b445769e8c --Sig_ataPNqTkr6M8KljG2.3744d Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Sat, 31 Mar 2007 23:27:19 +0100 Steve Long wrote: > Stephen Bennett wrote: > > ... Gentoo developers can take the latest release of said package > > manager and continue development from that. That's the wonderful > > thing about the GPL, no? >=20 > Too late for all the affected users tho. Point is it's a major > security hole which no sane organisation would even consider for > mission-critical code. Do you really think anyone checks every last line of code in every release of every system package? Sneaking in a check for /etc/gentoo-release with a time-delayed nasty into a widely used package wouldn't be particularly hard for anyone serious... Heck, getting oneself recruited under a pseudonym and sneaking some very nasty global scope code into the tree wouldn't be particularly hard for anyone serious... These arguments are getting weaker and weaker... --=20 Ciaran McCreesh --Sig_ataPNqTkr6M8KljG2.3744d Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGDuMv96zL6DUtXhERAqO4AJ4rUoWepEL4PmZx/qAMcAlGUMwoPgCgnRB+ GJz37PFejfMMRKn/JfLnP44= =yr+J -----END PGP SIGNATURE----- --Sig_ataPNqTkr6M8KljG2.3744d-- -- gentoo-dev@gentoo.org mailing list