From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 56825158041 for ; Sun, 7 Apr 2024 14:48:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 47046E2AAD; Sun, 7 Apr 2024 14:48:26 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DDE04E2A99 for ; Sun, 7 Apr 2024 14:48:25 +0000 (UTC) Message-ID: Subject: Re: [gentoo-dev] Update on the 23.0 profiles From: =?UTF-8?Q?Micha=C5=82_G=C3=B3rny?= To: gentoo-dev@lists.gentoo.org Date: Sun, 07 Apr 2024 16:48:12 +0200 In-Reply-To: References: <10606960.T7Z3S40VBb@noumea> <98d180b6db191830e9700d0f5b874274a3fd4755.camel@gentoo.org> <114170429.nniJfEyVGO@pinacolada> Organization: Gentoo Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-9tB6rdXc+1vD+xAfZvQI" User-Agent: Evolution 3.50.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 X-Archives-Salt: 9946b12e-c293-4a92-a1a2-019d509042b9 X-Archives-Hash: 5c5e554f7a990823df5cef9e9c969b39 --=-9tB6rdXc+1vD+xAfZvQI Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, 2024-04-07 at 08:51 -0400, Michael Orlitzky wrote: > On Sun, 2024-04-07 at 14:35 +0200, Andreas K. Huettel wrote: > >=20 > > Uhh, I dont really remember, I think some Chinese-sounding guy asked > > me for it... (j/k)=20 >=20 > It is remarkably bad timing. How it looks: Gentoo's response to the xz > incident is to have me rebuild my entire system with everything that > could possibly be linked to liblzma, linked to liblzma. Even on the > hardened profiles, and with no easy way to prevent it. So, what you're basically saying, is that the best Gentoo response right now would be to frantically remove LZMA support everywhere? I'm sure that would be so much better than our response of masking vulnerable versions and issuing a statement. --=20 Best regards, Micha=C5=82 G=C3=B3rny --=-9tB6rdXc+1vD+xAfZvQI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQFGBAABCgAwFiEEx2qEUJQJjSjMiybFY5ra4jKeJA4FAmYSsiwSHG1nb3JueUBn ZW50b28ub3JnAAoJEGOa2uIyniQO+0AH/jAUDyiorlAzqbXM/EC/HZv1iL5CjnYk 1j7NeKE/c6j77iNvtXVG5J+UciArqsyXdh8CgU5d4hcWEHH28hwdCsczwp03h2DE crAxAF1QD+QuDCn5qhZWtEelNbaM/MKJxvdeJMAjCmgg78YwOxYd4Z/3ikuPsTaN cfgW5JfL/nEA1V0AhUemP8ytfBhglCNgeBavOWQwgc4bu3skspLMcrnu0CS0EqXu C1ha++dMUMHAFYfJY8cKrj2Fi+Hb3E8pSEAHb2hjJA4hKEgGtXCbigoWrAp6LB1D I3sX4GweFxhX8bHmDWPq12Cr+Vyd4PEec/4C1Sx++rVp+aLFmWPkE5g= =IBXa -----END PGP SIGNATURE----- --=-9tB6rdXc+1vD+xAfZvQI--