[gentoo-dev] qa last rites -- long list

[gentoo-dev] qa last rites -- long list

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 6025 bytes --]

All,

Many packages have been masked in the tree for months - years with no
signs of fixes.

I am particularly concerned about packages with known security
vulnerabilities staying in the main tree masked. If people want to keep
using those packages, I don't want to stop them, but packages like this
should be in an overlay, not the main tree.

On 28 Jan, I will go through this list again, from oldest to newest,
first focusing on packages with known security issues. Any of these that
I find still in p.mask or with no fixes  but still in the
main tree will be removed then.

# Patrick Lauer <patrick@gentoo.org> (24 Nov 2014)
# Missing deps, uninstallable
app-misc/email2trac
www-apps/trac-downloads

# Jauhien Piatlicki <jauhien@gentoo.org> (5 Oct 2014)
# Masked because of bug 524390: privilege escalation
# until upstream fixes this security issue.
# Use at your own risk
<x11-misc/sddm-0.10.0

# Sergey Popov <pinkbyte@gentoo.org> (04 Sep 2014)
# Security mask, wrt bugs #488212, #498164, #500260,
# #507802 and #518718
<virtual/mysql-5.5
<dev-db/mysql-5.5.39
<dev-db/mariadb-5.5.39

# Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> (03 Sep 2014)
# Markos Chandras <hwoarang@gentoo.org> (02 Sep 2014)
# MSN service terminated.
# You can still use your MSN account in net-im/skype
# or switch to an open protocol instead
# Masked for removal in 30 days
net-im/amsn
x11-themes/amsn-skins

# Christian Faulhammer <fauli@gentoo.org> (02 Sep 2014)
# website not working anymore and will stay like this,
# tool is useless. See bug 504734
app-admin/hwreport

# Ulrich Müller <ulm@gentoo.org> (15 Jul 2014)
# Permanently mask sys-libs/lib-compat and its reverse dependencies,
# pending multiple security vulnerabilities and QA issues.
# See bugs #515926 and #510960.
sys-libs/lib-compat
sys-libs/lib-compat-loki
games-action/mutantstorm-demo
games-action/phobiaii
games-emulation/handy
games-fps/rtcw
games-fps/unreal
games-strategy/heroes3
games-strategy/heroes3-demo
games-strategy/smac
sys-block/afacli

# Mike Gilbert <floppym@gentoo.org> (13 Jun 2014)
# Masked due to security bug 499870.
# Please migrate to net-misc/libreswan.
# If you are a Gentoo developer, feel free to pick up maintenence of openswan
# and remove this mask after resolving the security issue.
net-misc/openswan

# Mike Gilbert <floppym@gentoo.org> (10 Jun 2014)
# Tom Wijsman <TomWij@gentoo.org> (8 Jun 2014)
# Mask VLC ebuilds that are affected with security bug CVE-2013-6934:
#
#     A vulnerability has been discovered in VLC Media Player, which can be
#     exploited by malicious people to compromise a user's system.
#
# Some ebuilds also have other buffer and integer overflow security bugs like
# CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283.
#
# Users should consider to upgrade VLC Media Player to at least version 2.1.2.
<media-video/vlc-2.1.2

# Tom Wijsman <TomWij@gentoo.org> (6 Jun 2014)
# Tom Wijsman <TomWij@gentoo.org> (6 Jun 2014)
# Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
#
# Pinkie Pie discovered an issue in the futex subsystem that allows a
# local user to gain ring 0 control via the futex syscall. An
# unprivileged user could use this flaw to crash the kernel (resulting
# in denial of service) or for privilege escalation.
#
# https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
=sys-kernel/gentoo-sources-3.2.58-r2
~sys-kernel/gentoo-sources-3.4.90
=sys-kernel/gentoo-sources-3.4.91
~sys-kernel/gentoo-sources-3.10.40
=sys-kernel/gentoo-sources-3.10.41
~sys-kernel/gentoo-sources-3.12.20
=sys-kernel/gentoo-sources-3.12.21
~sys-kernel/gentoo-sources-3.14.4
=sys-kernel/gentoo-sources-3.14.5

# Tom Wijsman <TomWij@gentoo.org> (30 May 2014)
# CVE-2012-1721 - Remote Code Execution Vulnerability
#
# Vulnerable: IBM Java SE 5.0 SR12-FP5
# URL:        http://www.securityfocus.com/bid/53959/
dev-java/ibm-jdk-bin:1.5

# Alexander Vershilov <qnikst@gentoo.org> (02 Apr 2014)
# Multiple vulnerabilities, see #504724, #505860
<sys-kernel/openvz-sources-2.6.32.85.17

# Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> (26 Mar 2014)
# Affected by multiple vulnerabilities, #445916, #471098 and #472280
<media-libs/mesa-9.1.4

# Sergey Popov <pinkbyte@gentoo.org> (20 Mar 2014)
# Security mask of vulnerable versions, wrt bug #424167
<net-nds/openldap-2.4.35

# Michael Weber <xmw@gentoo.org> (9 Jul 2013)
# Masked for security bug 450746, CVE-2012-6095
<net-ftp/proftpd-1.3.4c

# Samuli Suominen <ssuominen@gentoo.org> (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!
=media-libs/fmod-3*
games-puzzle/candycrisis
games-simulation/stoned-bin
games-sports/racer-bin
games-strategy/dark-oberon
games-strategy/savage-bin

# Chris Gianelloni <wolf31o2@gentoo.org> (03 Mar 2008)
# Masking due to security bug #194607 and security bug #204067
games-fps/doom3
games-fps/doom3-cdoom
games-fps/doom3-chextrek
games-fps/doom3-data
games-fps/doom3-demo
games-fps/doom3-ducttape
games-fps/doom3-eventhorizon
games-fps/doom3-hellcampaign
games-fps/doom3-inhell
games-fps/doom3-lms
games-fps/doom3-mitm
games-fps/doom3-phantasm
games-fps/doom3-roe
games-fps/quake4-bin
games-fps/quake4-data
games-fps/quake4-demo

# Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
# masked pending unresolved security issues #127167
games-roguelike/slashem

# Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
# masked pending unresolved security issues #125902
games-roguelike/nethack
games-util/hearse

# <klieber@gentoo.org> (01 Apr 2004)
# The following packages contain a remotely-exploitable
# security vulnerability and have been hard masked accordingly.
#
# Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info
#
games-fps/unreal-tournament-goty
games-fps/unreal-tournament-strikeforce
games-fps/unreal-tournament-bonuspacks
games-fps/aaut

Thanks,

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites -- long list

[Patrick Lauer]

On 01/07/15 06:24, William Hubbs wrote:
> All,
> 
> Many packages have been masked in the tree for months - years with no
> signs of fixes.
> 
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should be in an overlay, not the main tree.
> 

> # Sergey Popov <pinkbyte@gentoo.org> (20 Mar 2014)
> # Security mask of vulnerable versions, wrt bug #424167
> <net-nds/openldap-2.4.35

Please leave at least one openldap-2.3 version around - replication
doesn't work between different major versions, so those of us stuck with
mummified linux need them (sigh)

Thanks,

Patrick

Re: [gentoo-dev] qa last rites -- long list

[Philip Webb]

150106 William Hubbs wrote:
> Many packages have been masked in the tree for months - years
> with no signs of fixes.  I am particularly concerned
> about packages with known security vulnerabilities
> staying in the main tree masked.  If people want to keep those packages,
> I don't want to stop them, but packages like this should be in an overlay,
> not the main tree.

-- snip --

> # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
> # masked pending unresolved security issues #125902
> games-roguelike/nethack

-- snip --

This one is perfectly safe on a single-user system : please leave it there.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites -- long list

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 899 bytes --]

On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
> 150106 William Hubbs wrote:
> > Many packages have been masked in the tree for months - years
> > with no signs of fixes.  I am particularly concerned
> > about packages with known security vulnerabilities
> > staying in the main tree masked.  If people want to keep those packages,
> > I don't want to stop them, but packages like this should be in an overlay,
> > not the main tree.
> 
> -- snip --
> 
> > # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
> > # masked pending unresolved security issues #125902
> > games-roguelike/nethack
> 
> -- snip --
> 
> This one is perfectly safe on a single-user system : please leave it there.

I'm not opposed to it staying in the tree under one of these conditions:

1) fix it and remove the mask

or

2) remove the mask and add ewarns to the ebuild

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites -- long list

[Philip Webb]

150107 William Hubbs wrote:
> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>> 150106 William Hubbs wrote:
>>> Many packages have been masked in the tree for months - years
>>> with no signs of fixes.  I am particularly concerned
>>> about packages with known security vulnerabilities
>>> staying in the main tree masked.  If people want to keep those packages,
>>> I don't want to stop them, but packages like this should be in an overlay,
>>> not the main tree.
>> -- snip --
>> > # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
>> > # masked pending unresolved security issues #125902
>> > games-roguelike/nethack
>> -- snip --
>> This one is perfectly safe on a single-user system : please leave it there.
> I'm not opposed to it staying in the tree under one of these conditions:
> 1) fix it and remove the mask or

I'm a user, not a dev or a programmer.

> 2) remove the mask and add ewarns to the ebuild

That looks more reasonable & something a dev could easily do.

-- 
========================,,============================================
SUPPORT     ___________//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT    `-O----------O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites -- long list

[Matt Turner]

On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs <williamh@gentoo.org> wrote:
> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>> 150106 William Hubbs wrote:
>> This one is perfectly safe on a single-user system : please leave it there.
>
> I'm not opposed to it staying in the tree under one of these conditions:
>
> 1) fix it and remove the mask
>
> or
>
> 2) remove the mask and add ewarns to the ebuild

Remove the mask that people have to see and actively disable in order
to install the software and replace it with ewarn messages that they
likely won't read?

I don't see the problem with versions with security vulnerabilities
masked in the tree. nethack in particular has been masked in the tree
since 2006, so we have some precedence.

[gentoo-dev] Re: qa last rites -- long list

[Jonathan Callen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/07/2015 12:15 PM, Matt Turner wrote:
> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs <williamh@gentoo.org>
> wrote:
>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>>> 150106 William Hubbs wrote: This one is perfectly safe on a
>>> single-user system : please leave it there.
>> 
>> I'm not opposed to it staying in the tree under one of these
>> conditions:
>> 
>> 1) fix it and remove the mask
>> 
>> or
>> 
>> 2) remove the mask and add ewarns to the ebuild
> 
> Remove the mask that people have to see and actively disable in
> order to install the software and replace it with ewarn messages
> that they likely won't read?
> 
> I don't see the problem with versions with security
> vulnerabilities masked in the tree. nethack in particular has been
> masked in the tree since 2006, so we have some precedence.
> 
> 

The only reason there is a security issue with nethack (and other
games like it) on Gentoo, and only on Gentoo, is that the games team
policy requires that all games have permissions 0750, with group
"games", and all users that should be allowed to run games be in the
"games" group.  Nethack expects that it have permissions 2755 (or
2711), with group "games" and that *no* users are members of that
group, so it can securely save files that are accessible to all users
during gameplay ("bones" files) and ensure that the user cannot
access/change their current save file.  These two expectations are
incompatible with each other, and end up creating a security issue
that upstream would never expect (as no users can be in the "games"
group traditionally).

- -- 
Jonathan Callen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJUrc0kAAoJELHSF2kinlg4U48P/0832YIuICSAqjvPd2HOevs0
PISYT08qafzPevhppfe4YC4G1Z2hpoUaiLTiEozHDGfEkwoxMjIQQWEB1idco5Wo
gbYtUtX3X7BgAlBQxNMlb6jnc+xExAKqwB35SJF4374s3gw3GEWmED2eNJzgCdnM
pERhAsKXpc9GNFCY31QmscWFAu+Wk7l8HjEWjKbZ9491dHESDpzBp3HSPoxGtUMH
wsL9vVhfS/JPEbLTcoCWwyx2s/et/wuEcnEO7c0N2byfxm6e0MXPS8vs4ZiMCRsl
+nVKTkCH4uH5LTF7KQJ/Djiju4+dtydmByOJ/FrC3T+6E47X4n8m4fXWUa09jHsZ
VO6YOxJLSbitw0FVE2RubGKbDVbQE7vHRefGxgtv0ZnpkeFC/8hoOAmntFCkbkmy
WKtTPNPxCCOIMU6AE4G53HkeLJ9aOBZFl/el4OKYGTTuRX6o80f0GzRdsiFAqbqz
CbP+pSDFMeqicP0P2R2rt5VFfa61DHLWYTO93hcSfgsBJ3tTFAPE4rh/hFQtbz0Z
W4Mife7QLN6SVh5KjWlUSAv3b9CFubDMcj9cUL63RNdp5yKUef6XRJN2CEv3mhn4
PckC1yanE52NybvQxnW+xKp4G2qk5V/j0MZpBjUFqO6s1Tn6hw3kLs2VBqtO7wDJ
LQWCPkTSyRjSIsJUa4Vg
=Zqwb
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Re: qa last rites -- long list

[Daniel Campbell]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/07/2015 04:19 PM, Jonathan Callen wrote:
> On 01/07/2015 12:15 PM, Matt Turner wrote:
>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs 
>> <williamh@gentoo.org> wrote:
>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>>>> 150106 William Hubbs wrote: This one is perfectly safe on a 
>>>> single-user system : please leave it there.
>>> 
>>> I'm not opposed to it staying in the tree under one of these 
>>> conditions:
>>> 
>>> 1) fix it and remove the mask
>>> 
>>> or
>>> 
>>> 2) remove the mask and add ewarns to the ebuild
> 
>> Remove the mask that people have to see and actively disable in 
>> order to install the software and replace it with ewarn messages
>>  that they likely won't read?
> 
>> I don't see the problem with versions with security 
>> vulnerabilities masked in the tree. nethack in particular has 
>> been masked in the tree since 2006, so we have some precedence.
> 
> 
> 
> The only reason there is a security issue with nethack (and other 
> games like it) on Gentoo, and only on Gentoo, is that the games 
> team policy requires that all games have permissions 0750, with 
> group "games", and all users that should be allowed to run games
> be in the "games" group.  Nethack expects that it have permissions 
> 2755 (or 2711), with group "games" and that *no* users are members 
> of that group, so it can securely save files that are accessible
> to all users during gameplay ("bones" files) and ensure that the
> user cannot access/change their current save file.  These two 
> expectations are incompatible with each other, and end up creating 
> a security issue that upstream would never expect (as no users can 
> be in the "games" group traditionally).
> 
> 

Is Nethack's group expectation hard-coded? If not, then what's
stopping nethack from using another, self-made group (like 'nethack')
to arbitrate the bones files?

If it *is* hard-coded, then can we produce a (hopefully simple) patch?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJUrjCEAAoJEJUrb08JgYgHlQYH/RmOzRLebkffwJ3efcR7sCw7
i/CU1vBoHdyW86Us3X/PwYl47GSPKaiLTMhTnPNOtQP4wqdkHTXrG4fvQfLKP7Lg
RC8EkR0kgkdBSVqJIt70Gfxu0fV0o55rOf2bYcDC+RF1HLMWNTQ/e8SkcfDmUAum
EMRJnqUq3dsiIWbr/WeR27XWxlFz1Oo/jjIoGWvO6JodkZnsHbFlCalycAI1xQv5
05BecTx0FDwC1xWrdt3+UaoyrvOrIqz5mxiGM6B+WgEMU8OyURFprljX8a21WuFV
RcipixJvIKvxEmbI+cC0T9bapRfA1NBW+r6nVk1wsGiJwhJ2biF2HVS+ZwN9Y34=
=lEkc
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Re: qa last rites -- long list

[Pacho Ramos]

El mié, 07-01-2015 a las 19:19 -0500, Jonathan Callen escribió:
[...]
> The only reason there is a security issue with nethack (and other
> games like it) on Gentoo, and only on Gentoo, is that the games team
> policy requires that all games have permissions 0750, with group
> "games", and all users that should be allowed to run games be in the
> "games" group.  Nethack expects that it have permissions 2755 (or
> 2711), with group "games" and that *no* users are members of that
> group, so it can securely save files that are accessible to all users
> during gameplay ("bones" files) and ensure that the user cannot
> access/change their current save file.  These two expectations are
> incompatible with each other, and end up creating a security issue
> that upstream would never expect (as no users can be in the "games"
> group traditionally).
> 
> 

If I don't misremember Council allowed finally people to not be mandated
by that "games team" policies and, then, I guess that could finally
allow to drop that security issue no? :/

Re: [gentoo-dev] Re: qa last rites -- long list

[Rich Freeman]

On Thu, Jan 8, 2015 at 4:45 AM, Pacho Ramos <pacho@gentoo.org> wrote:
> El mié, 07-01-2015 a las 19:19 -0500, Jonathan Callen escribió:
> [...]
>> The only reason there is a security issue with nethack (and other
>> games like it) on Gentoo, and only on Gentoo, is that the games team
>> policy requires that all games have permissions 0750, with group
>> "games", and all users that should be allowed to run games be in the
>> "games" group.  Nethack expects that it have permissions 2755 (or
>> 2711), with group "games" and that *no* users are members of that
>> group, so it can securely save files that are accessible to all users
>> during gameplay ("bones" files) and ensure that the user cannot
>> access/change their current save file.  These two expectations are
>> incompatible with each other, and end up creating a security issue
>> that upstream would never expect (as no users can be in the "games"
>> group traditionally).
>>
>>
>
> If I don't misremember Council allowed finally people to not be mandated
> by that "games team" policies and, then, I guess that could finally
> allow to drop that security issue no? :/
>

This is correct, if the maintainer wishes.

-- 
Rich

Re: [gentoo-dev] Re: qa last rites -- long list

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1593 bytes --]

On Thu, Jan 08, 2015 at 05:53:47AM -0500, Rich Freeman wrote:
> On Thu, Jan 8, 2015 at 4:45 AM, Pacho Ramos <pacho@gentoo.org> wrote:
> > El mié, 07-01-2015 a las 19:19 -0500, Jonathan Callen escribió:
> > [...]
> >> The only reason there is a security issue with nethack (and other
> >> games like it) on Gentoo, and only on Gentoo, is that the games team
> >> policy requires that all games have permissions 0750, with group
> >> "games", and all users that should be allowed to run games be in the
> >> "games" group.  Nethack expects that it have permissions 2755 (or
> >> 2711), with group "games" and that *no* users are members of that
> >> group, so it can securely save files that are accessible to all users
> >> during gameplay ("bones" files) and ensure that the user cannot
> >> access/change their current save file.  These two expectations are
> >> incompatible with each other, and end up creating a security issue
> >> that upstream would never expect (as no users can be in the "games"
> >> group traditionally).
> >>
> >>
> >
> > If I don't misremember Council allowed finally people to not be mandated
> > by that "games team" policies and, then, I guess that could finally
> > allow to drop that security issue no? :/
> >
> 
> This is correct, if the maintainer wishes.

Rich is correct, maintainers are no longer bound by the games team
policy.

Since this is a popular game, I urge someone to take it over and fix the
issue. If I were taking it over, I would immediately look into rewriting
the ebuild to not use games.eclass.

William

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

[gentoo-dev] Re: qa last rites -- long list

[Jonathan Callen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/08/2015 02:23 AM, Daniel Campbell wrote:
> On 01/07/2015 04:19 PM, Jonathan Callen wrote:
>> On 01/07/2015 12:15 PM, Matt Turner wrote:
>>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs 
>>> <williamh@gentoo.org> wrote:
>>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>>>>> 150106 William Hubbs wrote: This one is perfectly safe on a
>>>>>  single-user system : please leave it there.
>>>> 
>>>> I'm not opposed to it staying in the tree under one of these
>>>>  conditions:
>>>> 
>>>> 1) fix it and remove the mask
>>>> 
>>>> or
>>>> 
>>>> 2) remove the mask and add ewarns to the ebuild
> 
>>> Remove the mask that people have to see and actively disable in
>>>  order to install the software and replace it with ewarn
>>> messages that they likely won't read?
> 
>>> I don't see the problem with versions with security 
>>> vulnerabilities masked in the tree. nethack in particular has 
>>> been masked in the tree since 2006, so we have some
>>> precedence.
> 
> 
> 
>> The only reason there is a security issue with nethack (and other
>>  games like it) on Gentoo, and only on Gentoo, is that the games
>>  team policy requires that all games have permissions 0750, with
>>  group "games", and all users that should be allowed to run
>> games be in the "games" group.  Nethack expects that it have
>> permissions 2755 (or 2711), with group "games" and that *no*
>> users are members of that group, so it can securely save files
>> that are accessible to all users during gameplay ("bones" files)
>> and ensure that the user cannot access/change their current save
>> file.  These two expectations are incompatible with each other,
>> and end up creating a security issue that upstream would never
>> expect (as no users can be in the "games" group traditionally).
> 
> 
> 
> Is Nethack's group expectation hard-coded? If not, then what's 
> stopping nethack from using another, self-made group (like
> 'nethack') to arbitrate the bones files?
> 
> If it *is* hard-coded, then can we produce a (hopefully simple)
> patch?
> 
> 

The problem was that you could not have the game setgid to "nethack"
*and* only executable by people in group "games" at the same time, as
they both require setting the group of the executable in order to
enforce the policy, and a file can only have one group (not counting
ACLs, which are not always supported).

As it is no longer required to follow the games team policy, the issue
can now be fixed by *not* using the "games" group for nethack.

- -- 
Jonathan Callen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJUrzrwAAoJELHSF2kinlg4IQsP/3gdF1OxDh0tOdqxd45tL4G+
1avsJ2x1+mVWM5hi2kYx3ZG3SIAOPqJdqVrFf+WozzAjDVC7Sd6WPs//E9i630HW
72O8zvO1s4CpqBrsu5Yb8BuhUHzcc4HO/3hE5rex7uhsOpPVqr96LdKtPJ74qFOH
T8aL/qk46HPCEc3Dg+lKVYDnhNKfThmjq3bx2NKFFgN3VaPOEc4IUs/NCkj/PzIt
UlgqwpD343qC+21xyboXVhIKeIyaaDZC2nwf/F92hhI2Xdcc9aw99O6S3mAuw1Xh
YDS3XN/4EvSMgSnCMC++S0LAT7nVkbghdhUh3R92UwJQoQcDzxOR6dEBrU7zjy++
L8c3A8gM8SfmtpwjqH2JwWF9AZ29SwVM1VtBus9EiREV0mthFC/Owz7Xfalj6VsS
u24hZn6NCRZ97FkOeX+GhAzAKLJHftLZW/ElgiFNwKFGA8qIjc4KIcc7Wg6opnDU
y4zV1f3YnUgS/4eMZxW4gcRoDTMSiPo1K5I2lSYC5Q9pId4Y3XvrjBkh5i6LA7Cc
2Pb3X4ZmWXvzm9p20kk6/SNp3qj6S/DnflWwWYmVnw4Le+Fa3+wlyS49yhL2/Aoa
nLtfHlgSZkKY6rLpa9swNKiVmYEu1PxdYDB2nlGfTn8nUiwyszRGpiai0ABwEWnR
NL9n1n5H6PTVOhElIKF2
=Mc9p
-----END PGP SIGNATURE-----

Re: [gentoo-dev] Re: qa last rites -- long list

[Luis Ressel]

[-- Attachment #1: Type: text/plain, Size: 315 bytes --]

On Thu, 8 Jan 2015 09:16:36 -0600
William Hubbs <williamh@gentoo.org> wrote:

> Rich is correct, maintainers are no longer bound by the games team
> policy.
> 

I didn't know this. If that's the case, I'd like to proxy-maintain
nethack. I'll try and prepare the neccessary ebuild changes.


Luis Ressel

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-dev] Re: qa last rites -- long list

[Michał Górny]

[-- Attachment #1: Type: text/plain, Size: 1416 bytes --]

Dnia 2015-01-08, o godz. 10:45:33
Pacho Ramos <pacho@gentoo.org> napisał(a):

> El mié, 07-01-2015 a las 19:19 -0500, Jonathan Callen escribió:
> [...]
> > The only reason there is a security issue with nethack (and other
> > games like it) on Gentoo, and only on Gentoo, is that the games team
> > policy requires that all games have permissions 0750, with group
> > "games", and all users that should be allowed to run games be in the
> > "games" group.  Nethack expects that it have permissions 2755 (or
> > 2711), with group "games" and that *no* users are members of that
> > group, so it can securely save files that are accessible to all users
> > during gameplay ("bones" files) and ensure that the user cannot
> > access/change their current save file.  These two expectations are
> > incompatible with each other, and end up creating a security issue
> > that upstream would never expect (as no users can be in the "games"
> > group traditionally).
> > 
> > 
> 
> If I don't misremember Council allowed finally people to not be mandated
> by that "games team" policies and, then, I guess that could finally
> allow to drop that security issue no? :/

If it were that simple... but we need to clean up that long-outstanding
mess. And we have no guarantees someone won't bring it back to us since
the eclasses are still allowed to be used.

-- 
Best regards,
Michał Górny

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 949 bytes --]

Re: [gentoo-dev] Re: qa last rites -- long list

[Pacho Ramos]

El vie, 09-01-2015 a las 23:31 +0100, Michał Górny escribió:
[...] 
> > If I don't misremember Council allowed finally people to not be mandated
> > by that "games team" policies and, then, I guess that could finally
> > allow to drop that security issue no? :/
> 
> If it were that simple... but we need to clean up that long-outstanding
> mess. And we have no guarantees someone won't bring it back to us since
> the eclasses are still allowed to be used.
> 

I agree with you, I was focusing on that concrete issue as that bug is
around for years, but I neither understand why games.eclass is not
deprecated completely as current situation will only spread the problem
of some games being handled following a different policy than others,
and leading to inconsistencies :( 

But I must admit I lost the track of this issue some time ago and I
don't remember why the eclass is still allowed and then both policies
are being used in parallel depending on the maintainer, that is the
reason I haven't suggested the Council to deprecate games.eclass
finally :/

Re: [gentoo-dev] Re: qa last rites -- long list

[Rich Freeman]

On Sat, Jan 10, 2015 at 9:16 AM, Pacho Ramos <pacho@gentoo.org> wrote:
>
> But I must admit I lost the track of this issue some time ago and I
> don't remember why the eclass is still allowed and then both policies
> are being used in parallel depending on the maintainer, that is the
> reason I haven't suggested the Council to deprecate games.eclass
> finally :/
>

There is an immediate reason for this, and a deeper underlying issue.  (IMHO.)

The immediate issue was that the Council was dealing with a crisis
with the games herd and wanted to take the minimum initial action to
break the logjam.  That meant removing the requirement that all games
have to be under the control of the herd, but not interfering with how
the herd itself was managed.  There have been some attempts since to
try to get a games team organized, but so far I don't think there has
been much interest in that.  It would be far better for a bunch of
devs interested in games to get together, work out how to clean up the
mess, and do it versus just having the council step into that role
with a club.  If that doesn't get anywhere then we can always revisit
the situation and ask whether the current games policies are a serious
problem, and if so should we turn that into some kind of QA issue with
mandatory cleanup.  In general, though, we try to aim for
minimal-interference at the Council level.  That brings me to...

The deeper underlying issues, IMHO, might have something to do with
the fact that a distro that is designed around letting every user have
it their own way tends to lead to a culture of developers who all want
to have everything their own way as well.  :)

That, and things like this:
"Projects may well conflict with other projects. That's okay." [1]

games.eclass is really just one more manifestation of this, though a
more obvious one.  How many foo-cleaner/foo-updater/etc scripts do we
have out there now for things that aren't cleanly updated by portage,
and how consistent is the syntax from one to the next?  There are many
package-to-package inconsistencies with how things get done.  Of
course, most of those aren't the result of outright disagreements.

In general we tend to leave many things up to maintainers to "do the
right thing" and I think that most of us tend to like it that way.  I
think the areas for Council involvement are ones like:
1.  Outright conflict between maintainers/projects.
2.  Cases where maintainers aren't really in active conflict, but
consistency would benefit everybody and isn't particularly onerous to
achieve.
3.  Decisions that really affect the direction of the distro as a whole.

[1] - https://wiki.gentoo.org/wiki/GLEP:39

-- 
Rich

Re: [gentoo-dev] Re: qa last rites -- long list

[Pacho Ramos]

El dom, 11-01-2015 a las 08:11 -0500, Rich Freeman escribió:
[...]
The main issue I see is that the main objective of using games.eclass is
to keep games being used by people in "games" group... but this point if
broken as soon as we allow packages to not use that eclass and, then, I
see no advantage at all on not deprecating games.eclass (even not
killing it immediatly... but at least to let people know that it's
deprecated finally) (I am thinking in repoman warning about that eclass
usage as it does for old python eclasses and many more)

But I guess this should be moved back to current games team and maybe QA
as I agree escalating it to the Council directly looks "excessive"