From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JCgcH-0005qC-Ue for garchives@archives.gentoo.org; Wed, 09 Jan 2008 19:29:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3C630E064B; Wed, 9 Jan 2008 19:27:57 +0000 (UTC) Received: from mail.marples.name (rsm.demon.co.uk [80.177.111.50]) by pigeon.gentoo.org (Postfix) with ESMTP id 77E43E064B for ; Wed, 9 Jan 2008 19:27:56 +0000 (UTC) Received: from uberpc.marples.name (uberpc.marples.name [10.73.1.30]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.marples.name (Postfix) with ESMTP id 8D30719010A for ; Wed, 9 Jan 2008 19:27:55 +0000 (GMT) From: Roy Marples To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: Monthly Gentoo Council Reminder for January Date: Wed, 9 Jan 2008 19:27:40 +0000 User-Agent: KMail/1.9.7 References: <20080101103002.083C4652C4@smtp.gentoo.org> <1199899672.43325.11.camel@localhost> <20080109181624.77dec483@snowcone> In-Reply-To: <20080109181624.77dec483@snowcone> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200801091927.40100.roy@marples.name> X-Archives-Salt: 93637d15-7ef3-41c5-9b3c-a36cfd311c73 X-Archives-Hash: 16972d8b003e00e2972a87200042f085 On Wednesday 09 January 2008 18:16:24 Ciaran McCreesh wrote: > On Wed, 09 Jan 2008 17:27:52 +0000 > > Roy Marples wrote: > > On Wed, 2008-01-09 at 17:01 +0000, Ciaran McCreesh wrote: > > > 3.5.5 was good enough to be keyworded stable at one point. Thus, it > > > can't be *that* bad. > > > > So what happens if a flaw is discovered in KDE 3.5.5 that allows root > > access? > > Then the one particular part of 3.5.5 that's affected gets fixed and > priority keyworded. Lets say that there's just 3.5.5 and 3.5.8 in the tree. 3.5.5 is keyworded stable mips 3.5.8 doesn't have the mips keyword because it's horribly broken on mips A security flaw is discovered in 3.5.5, the solution is to upgrade to 3.5.8. This flaw involves code that has radically changed from 3.5.5 to 3.5.8. For the sake of argument say it will take 1 month of time for anyone to create a patch for 3.5.5 that fixes the flaw OR makes 3.5.8 magically work on mips. During this month, what do you propose happens to the end user? The choices are 1) Carry on as we are, user is blissfully unaware of security flaw and doesn't have time to read GLSA's, etc has he's busy with real life thereby giving Gentoo the reputation of shipping insecure software. 2) Force the user to spend a few minutes adding 3.5.5 to a package.unmask, thereby acknowledging the security flaw but by his own choice keeping the highly insecure software. Thanks Roy -- gentoo-dev@lists.gentoo.org mailing list