Re: [gentoo-dev] why is the security team running around p.masking packages

[Andrew Savchenko <bircoph@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1390 bytes --]

On Thu, 30 Jun 2016 22:51:51 -0400 Anthony G. Basile wrote:
> I'm going to ask the security team to please stop running around
> p.masking packages without acknowledgement from the maintainers.  I'm
> referring in particular to commit
> 135b94c85950254f559f290f4865bce8b349a917 regarding monkeyd.  Both of the
> cited "security bugs" were long fixed, and even if the were not, they do
> not merit masking because they were at best some information leakage
> with minor impact.  I have reverted that commit and would ask that
> security stop this practice.

Seconded here, the same applies to commit
61de68f69fdf7dd0aaa53303517c0e59738034c3, since security issues
doesn't affect most popular use cases, and at least first security
bug is fixed in [1]. Haven't tested the other bug, though.

The same applies for the tree-cleaners team. While their job is
very important, sometimes they are too hasty, like in commit
34181a1045d13142d959b9c894a46ddcebf3c512. If package builds and
works fine, have no critical bugs opened, the sheer fact that
upstream as inactive and package has no maintainer is no valid to
remove package. The reason "are still sitting in ~arch" is even
less valid, since it is absolutely fine that package never mades it
into stable (some people do not use stable at all).

[1] https://github.com/Mr-Dave/motion

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]