From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Fiklx-000591-MV for garchives@archives.gentoo.org; Wed, 24 May 2006 04:15:02 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.6/8.13.6) with SMTP id k4O4Eu2N024943; Wed, 24 May 2006 04:14:56 GMT Received: from smtp.ufl.edu (smtp01.osg.ufl.edu [128.227.74.149]) by robin.gentoo.org (8.13.6/8.13.6) with ESMTP id k4O4BNv2024144 for ; Wed, 24 May 2006 04:11:24 GMT Received: from [192.168.2.50] (huntersrun-cm-241.usa2net.net [207.40.203.241]) (authenticated bits=0) by smtp.ufl.edu (8.13.6/8.13.6/2.5.1) with ESMTP id k4O4BKMW1188014 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 24 May 2006 00:11:22 -0400 Message-ID: <4473DCE4.3080106@gentoo.org> Date: Wed, 24 May 2006 00:11:16 -0400 From: Doug Goldstein User-Agent: Thunderbird 1.5.0.2 (X11/20060430) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Security/QA Spring Cleaning References: <1148266942.19708.90.camel@localhost> <1148415750.11998.34.camel@onyx> <1148417466.18445.16.camel@cgianelloni.nuvox.net> <20060523210620.GE14671@nightcrawler> <1148420769.18445.20.camel@cgianelloni.nuvox.net> <20060523220514.GF14671@nightcrawler> <1148423071.18445.24.camel@cgianelloni.nuvox.net> <20060523223638.GG14671@nightcrawler> In-Reply-To: <20060523223638.GG14671@nightcrawler> X-Enigmail-Version: 0.94.0.0 OpenPGP: id=8B4264CB; url=http://dev.gentoo.org/~cardoe/cardoe.asc Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig88929BC0FA46561603D22418" X-Spam-Status: hits=0, required=5, tests= X-UFL-Spam-Status: hits=0, required=5, tests= X-Scanned-By: CNS Open Systems Group (http://open-systems.ufl.edu/services/smtp-relay/) X-UFL-Scanned-By: CNS Open Systems Group (http://open-systems.ufl.edu/services/smtp-relay/) X-Archives-Salt: f752ad48-186c-49d0-a62c-1ea855d2b776 X-Archives-Hash: 5e9d120e7707bf1d888648709128e8dd This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig88929BC0FA46561603D22418 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Brian Harring wrote: >=20 > Commented in #-security about it, but any reason that arches don't yank= =20 > their keywords from insecure ebuilds after they've stabled a=20 > replacement? >=20 Brian, I asked about this VERY same thing a long while back and at best I received "Because person X said no." So you ask X and they say the person that sent you to them said no. The only argument against it was that it'd break the depend tree if package Y depends on version <=3D0.99 of package X and versions > 1.0 of = X are vulnerability free. My opinion is "snap, crackle, and pop"... let the tree break. But better yet... figure out what depends on package X <=3D1.0 and p.mask it. --=20 Doug Goldstein http://dev.gentoo.org/~cardoe/ --------------enig88929BC0FA46561603D22418 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEc9znoeSe8B0zEfwRAlSMAJ9DB+ZwrEVw7G9Xbln2nL3AArbTKACfQxOV krGvO4H4wsOR7P9MIee0epk= =DsrT -----END PGP SIGNATURE----- --------------enig88929BC0FA46561603D22418-- -- gentoo-dev@gentoo.org mailing list