[gentoo-dev] qa last rites multiple packages

[gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 6025 bytes --]

All,

these packages have been masked in the tree for months - years with no
signs of fixes.

I am particularly concerned about packages with known security
vulnerabilities staying in the main tree masked. If people want to keep
using those packages, I don't want to stop them, but packages like this
should not be in the main tree.

On 28 Jan, I will go through this list again, from oldest to newest,
first focusing on packages with known security issues. Any of these that
I find still in p.mask or with no activity  on them but still in the
main tree will be removed then.

# Patrick Lauer <patrick@gentoo.org> (24 Nov 2014)
# Missing deps, uninstallable
app-misc/email2trac
www-apps/trac-downloads

# Jauhien Piatlicki <jauhien@gentoo.org> (5 Oct 2014)
# Masked because of bug 524390: privilege escalation
# until upstream fixes this security issue.
# Use at your own risk
<x11-misc/sddm-0.10.0

# Sergey Popov <pinkbyte@gentoo.org> (04 Sep 2014)
# Security mask, wrt bugs #488212, #498164, #500260,
# #507802 and #518718
<virtual/mysql-5.5
<dev-db/mysql-5.5.39
<dev-db/mariadb-5.5.39

# Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> (03 Sep 2014)
# Markos Chandras <hwoarang@gentoo.org> (02 Sep 2014)
# MSN service terminated.
# You can still use your MSN account in net-im/skype
# or switch to an open protocol instead
# Masked for removal in 30 days
net-im/amsn
x11-themes/amsn-skins

# Christian Faulhammer <fauli@gentoo.org> (02 Sep 2014)
# website not working anymore and will stay like this,
# tool is useless. See bug 504734
app-admin/hwreport

# Ulrich Müller <ulm@gentoo.org> (15 Jul 2014)
# Permanently mask sys-libs/lib-compat and its reverse dependencies,
# pending multiple security vulnerabilities and QA issues.
# See bugs #515926 and #510960.
sys-libs/lib-compat
sys-libs/lib-compat-loki
games-action/mutantstorm-demo
games-action/phobiaii
games-emulation/handy
games-fps/rtcw
games-fps/unreal
games-strategy/heroes3
games-strategy/heroes3-demo
games-strategy/smac
sys-block/afacli

# Mike Gilbert <floppym@gentoo.org> (13 Jun 2014)
# Masked due to security bug 499870.
# Please migrate to net-misc/libreswan.
# If you are a Gentoo developer, feel free to pick up maintenence of openswan
# and remove this mask after resolving the security issue.
net-misc/openswan

# Mike Gilbert <floppym@gentoo.org> (10 Jun 2014)
# Tom Wijsman <TomWij@gentoo.org> (8 Jun 2014)
# Mask VLC ebuilds that are affected with security bug CVE-2013-6934:
#
#     A vulnerability has been discovered in VLC Media Player, which can be
#     exploited by malicious people to compromise a user's system.
#
# Some ebuilds also have other buffer and integer overflow security bugs like
# CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283.
#
# Users should consider to upgrade VLC Media Player to at least version 2.1.2.
<media-video/vlc-2.1.2

# Tom Wijsman <TomWij@gentoo.org> (6 Jun 2014)
# Tom Wijsman <TomWij@gentoo.org> (6 Jun 2014)
# Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
#
# Pinkie Pie discovered an issue in the futex subsystem that allows a
# local user to gain ring 0 control via the futex syscall. An
# unprivileged user could use this flaw to crash the kernel (resulting
# in denial of service) or for privilege escalation.
#
# https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
=sys-kernel/gentoo-sources-3.2.58-r2
~sys-kernel/gentoo-sources-3.4.90
=sys-kernel/gentoo-sources-3.4.91
~sys-kernel/gentoo-sources-3.10.40
=sys-kernel/gentoo-sources-3.10.41
~sys-kernel/gentoo-sources-3.12.20
=sys-kernel/gentoo-sources-3.12.21
~sys-kernel/gentoo-sources-3.14.4
=sys-kernel/gentoo-sources-3.14.5

# Tom Wijsman <TomWij@gentoo.org> (30 May 2014)
# CVE-2012-1721 - Remote Code Execution Vulnerability
#
# Vulnerable: IBM Java SE 5.0 SR12-FP5
# URL:        http://www.securityfocus.com/bid/53959/
dev-java/ibm-jdk-bin:1.5

# Alexander Vershilov <qnikst@gentoo.org> (02 Apr 2014)
# Multiple vulnerabilities, see #504724, #505860
<sys-kernel/openvz-sources-2.6.32.85.17

# Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> (26 Mar 2014)
# Affected by multiple vulnerabilities, #445916, #471098 and #472280
<media-libs/mesa-9.1.4

# Sergey Popov <pinkbyte@gentoo.org> (20 Mar 2014)
# Security mask of vulnerable versions, wrt bug #424167
<net-nds/openldap-2.4.35

# Michael Weber <xmw@gentoo.org> (9 Jul 2013)
# Masked for security bug 450746, CVE-2012-6095
<net-ftp/proftpd-1.3.4c

# Samuli Suominen <ssuominen@gentoo.org> (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!
=media-libs/fmod-3*
games-puzzle/candycrisis
games-simulation/stoned-bin
games-sports/racer-bin
games-strategy/dark-oberon
games-strategy/savage-bin

# Chris Gianelloni <wolf31o2@gentoo.org> (03 Mar 2008)
# Masking due to security bug #194607 and security bug #204067
games-fps/doom3
games-fps/doom3-cdoom
games-fps/doom3-chextrek
games-fps/doom3-data
games-fps/doom3-demo
games-fps/doom3-ducttape
games-fps/doom3-eventhorizon
games-fps/doom3-hellcampaign
games-fps/doom3-inhell
games-fps/doom3-lms
games-fps/doom3-mitm
games-fps/doom3-phantasm
games-fps/doom3-roe
games-fps/quake4-bin
games-fps/quake4-data
games-fps/quake4-demo

# Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
# masked pending unresolved security issues #127167
games-roguelike/slashem

# Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
# masked pending unresolved security issues #125902
games-roguelike/nethack
games-util/hearse

# <klieber@gentoo.org> (01 Apr 2004)
# The following packages contain a remotely-exploitable
# security vulnerability and have been hard masked accordingly.
#
# Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info
#
games-fps/unreal-tournament-goty
games-fps/unreal-tournament-strikeforce
games-fps/unreal-tournament-bonuspacks
games-fps/aaut

Thanks,

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Rich Freeman]

On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <williamh@gentoo.org> wrote:
>
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should not be in the main tree.
>

Is this policy documented anywhere?  If not, I'd be interested in what
the general sense of the community is here, and this might be an
appropriate topic for the next Council meeting.

I guess my question is what harm does it cause to have masked packages
in the main tree, where they at least benefit from other forms of QA
(eclass fixes, etc)?  The mask messages clearly point out the security
issues, so anybody who unmasks them is making an informed decision.
If they just move to some overlay most likely they won't have any
warnings and people will just figure that they're one of 10k other
packages that someone doesn't want to bother getting into the tree.

I'll go ahead and reply to the council agenda thread with this, and
I'd be interested in what the general sense of the rest of the
community is here.

-- 
Rich

Re: [gentoo-dev] qa last rites multiple packages

[Alan McKinnon]

On 07/01/2015 14:56, Rich Freeman wrote:
> On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <williamh@gentoo.org> wrote:
>>
>> I am particularly concerned about packages with known security
>> vulnerabilities staying in the main tree masked. If people want to keep
>> using those packages, I don't want to stop them, but packages like this
>> should not be in the main tree.
>>
> 
> Is this policy documented anywhere?  If not, I'd be interested in what
> the general sense of the community is here, and this might be an
> appropriate topic for the next Council meeting.
> 
> I guess my question is what harm does it cause to have masked packages
> in the main tree, where they at least benefit from other forms of QA
> (eclass fixes, etc)?  The mask messages clearly point out the security
> issues, so anybody who unmasks them is making an informed decision.
> If they just move to some overlay most likely they won't have any
> warnings and people will just figure that they're one of 10k other
> packages that someone doesn't want to bother getting into the tree.
> 
> I'll go ahead and reply to the council agenda thread with this, and
> I'd be interested in what the general sense of the rest of the
> community is here.


I always thought the (informal, ad-hoc) policy for buildable, working
packages with security bugs was to p.mask them and let the user decide.
For all the reasons you cite.

And that packages are only removed from the tree when they don't build,
don't work, upstream is gone and took their sources with them, etc, etc.


-- 
Alan McKinnon
alan.mckinnon@gmail.com

Re: [gentoo-dev] qa last rites multiple packages

[Brian Evans]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/6/2015 6:47 PM, William Hubbs wrote:
> All,
> 
> these packages have been masked in the tree for months - years with
> no signs of fixes.
> 
> I am particularly concerned about packages with known security 
> vulnerabilities staying in the main tree masked. If people want to
> keep using those packages, I don't want to stop them, but packages
> like this should not be in the main tree.

> # Sergey Popov <pinkbyte@gentoo.org> (04 Sep 2014) # Security mask,
> wrt bugs #488212, #498164, #500260, # #507802 and #518718 
> <virtual/mysql-5.5 <dev-db/mysql-5.5.39 <dev-db/mariadb-5.5.39
> 

The mysql team keeps old upgrades around for several months on purpose
to give admins time to migrate between major/minor releases.

Thanks for the reminder to cleanup.  It is time to do so.

Brian Evans
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUrTaLAAoJEE4V4vFnx44dEQ0H/1gNWrI6DUPRKwrxnlwCjlrW
gVOS6p2LGVCxOx+qm98bvTYpt3HD3N4HB8IXnJRiPrOpQ/AW8VpyF+gQCN7jVsVP
vW1C/peuusERVvGfbIW8j86xl3ZQc3R8RDBlxRR11nxXRhrM5Bb8gpNWpHq5ni3R
zb6nT1+jYZ7Ix/UNWB2tnVW/H5Q/bBujVyjYrc94XKuEuHZORmS7/q+gD4oFF8+Q
B/TtK7ouJ+G8CX3WjM8pXRrg7mPukTQFgOEqZsZ8tqVyqGaE/KmR+jrFlVbrLMuD
xZvIkpvFUYwf/mdToUd1QNBblRdFs0wvGK06vkUDKJDJjz/mWhyWlVzJQQFjr2s=
=95aa
-----END PGP SIGNATURE-----

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 2595 bytes --]

On Wed, Jan 07, 2015 at 03:10:13PM +0200, Alan McKinnon wrote:
> On 07/01/2015 14:56, Rich Freeman wrote:
> > On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <williamh@gentoo.org> wrote:
> >>
> >> I am particularly concerned about packages with known security
> >> vulnerabilities staying in the main tree masked. If people want to keep
> >> using those packages, I don't want to stop them, but packages like this
> >> should not be in the main tree.
> >>
> > 
> > Is this policy documented anywhere?  If not, I'd be interested in what
> > the general sense of the community is here, and this might be an
> > appropriate topic for the next Council meeting.
> > 
> > I guess my question is what harm does it cause to have masked packages
> > in the main tree, where they at least benefit from other forms of QA
> > (eclass fixes, etc)?  The mask messages clearly point out the security
> > issues, so anybody who unmasks them is making an informed decision.
> > If they just move to some overlay most likely they won't have any
> > warnings and people will just figure that they're one of 10k other
> > packages that someone doesn't want to bother getting into the tree.
> > 
> > I'll go ahead and reply to the council agenda thread with this, and
> > I'd be interested in what the general sense of the rest of the
> > community is here.
> 
> 
> I always thought the (informal, ad-hoc) policy for buildable, working
> packages with security bugs was to p.mask them and let the user decide.
> For all the reasons you cite.
> 
> And that packages are only removed from the tree when they don't build,
> don't work, upstream is gone and took their sources with them, etc, etc.

My understanding of p.mask is it is never permanent. Things go in
there until they get fixed or eventually removed.

p.masked packages do not directly benefit from any forms of qa (eclass
fixes, etc).

I don't think, for example, we test eclass changes to see if they
break masked packages.

Also, as far as I know, we don't use p.masked packages as a
way to keep eclasses in the tree do we -- for example, (I haven't looked
at the code), but I'm guessing that a number of these packages use
games.eclass which is on the way out. If we say we can't get rid of
these packages, we may not be able to get rid of games.eclass.

It is unlikely as well that masked packages are actively maintained at
all, especially those that have been setting in the tree masked for
multiple years. You are basically asking that we keep bitrotting broken
packages in the tree.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> All,
> 
> these packages have been masked in the tree for months - years with no
> signs of fixes.
> 
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should not be in the main tree.
> 
> # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
> #
> # Pinkie Pie discovered an issue in the futex subsystem that allows a
> # local user to gain ring 0 control via the futex syscall. An
> # unprivileged user could use this flaw to crash the kernel (resulting
> # in denial of service) or for privilege escalation.
> #
> # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> =sys-kernel/gentoo-sources-3.2.58-r2
> ~sys-kernel/gentoo-sources-3.4.90
> =sys-kernel/gentoo-sources-3.4.91
> ~sys-kernel/gentoo-sources-3.10.40
> =sys-kernel/gentoo-sources-3.10.41
> ~sys-kernel/gentoo-sources-3.12.20
> =sys-kernel/gentoo-sources-3.12.21
> ~sys-kernel/gentoo-sources-3.14.4
> =sys-kernel/gentoo-sources-3.14.5

Hello,

What's the feeling for how long a package.mask entry should stay in the
file in the event that a package can cause physical damage to a user's 
system.

For certain types of hardware, kernel 3.17.0 could cause some
filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
it appropiate to say that a user has had enough time to upgarde their
systems and we can remove this entry?

Mike


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 2106 bytes --]

On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > All,
> > 
> > these packages have been masked in the tree for months - years with no
> > signs of fixes.
> > 
> > I am particularly concerned about packages with known security
> > vulnerabilities staying in the main tree masked. If people want to keep
> > using those packages, I don't want to stop them, but packages like this
> > should not be in the main tree.
> > 
> > # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
> > #
> > # Pinkie Pie discovered an issue in the futex subsystem that allows a
> > # local user to gain ring 0 control via the futex syscall. An
> > # unprivileged user could use this flaw to crash the kernel (resulting
> > # in denial of service) or for privilege escalation.
> > #
> > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> > =sys-kernel/gentoo-sources-3.2.58-r2
> > ~sys-kernel/gentoo-sources-3.4.90
> > =sys-kernel/gentoo-sources-3.4.91
> > ~sys-kernel/gentoo-sources-3.10.40
> > =sys-kernel/gentoo-sources-3.10.41
> > ~sys-kernel/gentoo-sources-3.12.20
> > =sys-kernel/gentoo-sources-3.12.21
> > ~sys-kernel/gentoo-sources-3.14.4
> > =sys-kernel/gentoo-sources-3.14.5

Mike,

since you responded here, what do you think about this p.mask entry?
Should we keep these in the tree?

> 
> Hello,
> 
> What's the feeling for how long a package.mask entry should stay in the
> file in the event that a package can cause physical damage to a user's 
> system.
> 
> For certain types of hardware, kernel 3.17.0 could cause some
> filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
> it appropiate to say that a user has had enough time to upgarde their
> systems and we can remove this entry?

(qa hat off here, just a question)

I'm a bit confused here.
If you have a specific p.mask entry for 3.17.0 and 3.17.0 is out of the
tree, isn't that p.mask entry invalid now? If so, go ahead and remove
or adjust the entry.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Mike Gilbert]

On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs <williamh@gentoo.org> wrote:
> On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
>> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
>> > All,
>> >
>> > these packages have been masked in the tree for months - years with no
>> > signs of fixes.
>> >
>> > I am particularly concerned about packages with known security
>> > vulnerabilities staying in the main tree masked. If people want to keep
>> > using those packages, I don't want to stop them, but packages like this
>> > should not be in the main tree.
>> >
>> > # Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
>> > #
>> > # Pinkie Pie discovered an issue in the futex subsystem that allows a
>> > # local user to gain ring 0 control via the futex syscall. An
>> > # unprivileged user could use this flaw to crash the kernel (resulting
>> > # in denial of service) or for privilege escalation.
>> > #
>> > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
>> > =sys-kernel/gentoo-sources-3.2.58-r2
>> > ~sys-kernel/gentoo-sources-3.4.90
>> > =sys-kernel/gentoo-sources-3.4.91
>> > ~sys-kernel/gentoo-sources-3.10.40
>> > =sys-kernel/gentoo-sources-3.10.41
>> > ~sys-kernel/gentoo-sources-3.12.20
>> > =sys-kernel/gentoo-sources-3.12.21
>> > ~sys-kernel/gentoo-sources-3.14.4
>> > =sys-kernel/gentoo-sources-3.14.5
>
> Mike,
>
> since you responded here, what do you think about this p.mask entry?
> Should we keep these in the tree?
>
>>
>> Hello,
>>
>> What's the feeling for how long a package.mask entry should stay in the
>> file in the event that a package can cause physical damage to a user's
>> system.
>>
>> For certain types of hardware, kernel 3.17.0 could cause some
>> filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
>> it appropiate to say that a user has had enough time to upgarde their
>> systems and we can remove this entry?
>
> (qa hat off here, just a question)
>
> I'm a bit confused here.
> If you have a specific p.mask entry for 3.17.0 and 3.17.0 is out of the
> tree, isn't that p.mask entry invalid now? If so, go ahead and remove
> or adjust the entry.
>

If users currently have 3.17.0 installed, portage will output a
warning message about a masked package being installed, even if the
ebuild no longer exists in the tree.

If you remove the mask, users will no longer be warned that they are
using a flawed copy of the kernel sources.

Thus, Mike's question about timing.

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
> On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs <williamh@gentoo.org> wrote:
> > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> >> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> >> > All,
> >> >
> 
> If you remove the mask, users will no longer be warned that they are
> using a flawed copy of the kernel sources.
> 
> Thus, Mike's question about timing.
> 

Exactly.

-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1018 bytes --]

On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
> On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
> > On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs <williamh@gentoo.org> wrote:
> > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > >> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > >> > All,
> > >> >
> > 
> > If you remove the mask, users will no longer be warned that they are
> > using a flawed copy of the kernel sources.
> > 
> > Thus, Mike's question about timing.
> > 
> 
> Exactly.

This should be a different thread then since  this wasn't in the list I
originally posted.

However,

this is considered an invalid package.mask entry since the package that
was being masked is no longer in the tree [1].

This is just something that QA or anyone can clean up as far as I know.
We don't worry about masking packages that no longer exist in the tree.

William

[1] http://qa-reports.gentoo.org/output/invalid-mask.txt

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Mike Gilbert]

On Wed, Jan 7, 2015 at 1:11 PM, William Hubbs <williamh@gentoo.org> wrote:
> On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
>> On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
>> > On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs <williamh@gentoo.org> wrote:
>> > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
>> > >> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
>> > >> > All,
>> > >> >
>> >
>> > If you remove the mask, users will no longer be warned that they are
>> > using a flawed copy of the kernel sources.
>> >
>> > Thus, Mike's question about timing.
>> >
>>
>> Exactly.
>
> This should be a different thread then since  this wasn't in the list I
> originally posted.
>
> However,
>
> this is considered an invalid package.mask entry since the package that
> was being masked is no longer in the tree [1].

Regardless of what repoman says, the mask entry is still useful.

The repoman warning serves as a nice reminder, but please don't treat
it as policy.

Re: [gentoo-dev] qa last rites multiple packages

[Mike Gilbert]

On Wed, Jan 7, 2015 at 10:52 AM, William Hubbs <williamh@gentoo.org> wrote:
> My understanding of p.mask is it is never permanent. Things go in
> there until they get fixed or eventually removed.

I disagree with this. In my opinion, it is fine to have permanently
masked packages in some cases. I don't really care what the existing
documentation says on this; documentation can be updated.

> p.masked packages do not directly benefit from any forms of qa (eclass
> fixes, etc).
>
> I don't think, for example, we test eclass changes to see if they
> break masked packages.
>
> Also, as far as I know, we don't use p.masked packages as a
> way to keep eclasses in the tree do we -- for example, (I haven't looked
> at the code), but I'm guessing that a number of these packages use
> games.eclass which is on the way out. If we say we can't get rid of
> these packages, we may not be able to get rid of games.eclass.

Agreed. If the ebuild has no hope of working at all, there is no point
in keeping it in the tree. It should not hold up removal of obsolete
eclasses.

> It is unlikely as well that masked packages are actively maintained at
> all, especially those that have been setting in the tree masked for
> multiple years. You are basically asking that we keep bitrotting broken
> packages in the tree.

If the package is unmaintained and broken, then it should be removed.
However, there are cases where the package is usable and has been
masked for some other reason, security being the obvious example.

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > All,
> > > #
> > > # Pinkie Pie discovered an issue in the futex subsystem that allows a
> > > # local user to gain ring 0 control via the futex syscall. An
> > > # unprivileged user could use this flaw to crash the kernel (resulting
> > > # in denial of service) or for privilege escalation.
> > > #
> > > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> > > =sys-kernel/gentoo-sources-3.2.58-r2
> > > ~sys-kernel/gentoo-sources-3.4.90
> > > =sys-kernel/gentoo-sources-3.4.91
> > > ~sys-kernel/gentoo-sources-3.10.40
> > > =sys-kernel/gentoo-sources-3.10.41
> > > ~sys-kernel/gentoo-sources-3.12.20
> > > =sys-kernel/gentoo-sources-3.12.21
> > > ~sys-kernel/gentoo-sources-3.14.4
> > > =sys-kernel/gentoo-sources-3.14.5
> 
> Mike,
> 
> since you responded here, what do you think about this p.mask entry?
> Should we keep these in the tree?
 
William,

At what point do we not care about users who have not upgraded and will
miss this security message? 

Mike


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Re: [gentoo-dev] qa last rites multiple packages

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/07/2015 07:22 PM, Mike Gilbert wrote:
> On Wed, Jan 7, 2015 at 1:11 PM, William Hubbs <williamh@gentoo.org>
> wrote:
>> On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
>>> On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
>>>> On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs
>>>> <williamh@gentoo.org> wrote:
>>>>> On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano
>>>>> wrote:
>>>>>> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs
>>>>>> wrote:
>>>>>>> All,
>>>>>>> 
>>>> 
>>>> If you remove the mask, users will no longer be warned that
>>>> they are using a flawed copy of the kernel sources.
>>>> 
>>>> Thus, Mike's question about timing.
>>>> 
>>> 
>>> Exactly.
>> 
>> This should be a different thread then since  this wasn't in the
>> list I originally posted.
>> 
>> However,
>> 
>> this is considered an invalid package.mask entry since the
>> package that was being masked is no longer in the tree [1].
> 
> Regardless of what repoman says, the mask entry is still useful.
> 
> The repoman warning serves as a nice reminder, but please don't
> treat it as policy.
> 


My two cents is that this is particularly true for kernel sources. For
other applications GLSAs will take over the responsibility for the
mask to ensure an upgrade path, however as we don't currently have a
structured mechanism for kernels I support the mask personally.

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUrX9kAAoJEPw7F94F4TagHS4QAJyJR00BMKuyO151gOqIaa2f
p3/t6Q9saxiNYHMhsuC0Fu4M8CFZ5h0685xiBkTDJKj6EBfS4Aju7TXEGqSmeEAD
D7xz/I9dcaF8xehmLUHXN43FREdp8E4c0lcO3zXP80Ma53GzgyE+i3kuROVv2j4B
awuNj1dalbZIdM+AuJ9AzyJU5v7rvt/kR+4xCqiutK0yMk5xkaiFC7STA5Cdts5R
86M1iZFXnRqQtmLskAGrQN3gqzUWmoFPwZsQGpSJW7TSR5t3R7J0EryPgs2eMbHA
/i8OT0MeqxpXTsg4ri9AhcjRCBxXvX3t2UuToQYjXJikCHhv3/t8oB0ixbqzswta
HOdMi569Z1fJ3JDO/briKD6gRm6BkpO13Uy9L1Ht8qJ9w2Oura7y0sBcUn4lCTv2
rBVPsa7bWm2M2JX9AOTMtpUrE/qCgiMD+Szf4Lf9NrOjudVnUecSFkZ+HAEK1LAT
CKnRI11F2JYph6at3tLY1YsprLeFTzTo/rZ0w/4DDC9n//6Sl1s/8tMiidxqNVJd
8+Zv9TvDhtoznvAQm8Vdq5sDun5nVbk7SRwatDq+85P2ASJkq8O8QPSSQ8DpLAFQ
ihk3xM7B7CSeK9x9ezuWw0LL6DjanaLQDNme+R32WLINsubn9hiK07UNUtEuvv9T
LoeAdzfGmz5piMYeZcxT
=UcGG
-----END PGP SIGNATURE-----

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1484 bytes --]

On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > All,
> > > > #
> > > > # Pinkie Pie discovered an issue in the futex subsystem that allows a
> > > > # local user to gain ring 0 control via the futex syscall. An
> > > > # unprivileged user could use this flaw to crash the kernel (resulting
> > > > # in denial of service) or for privilege escalation.
> > > > #
> > > > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> > > > =sys-kernel/gentoo-sources-3.2.58-r2
> > > > ~sys-kernel/gentoo-sources-3.4.90
> > > > =sys-kernel/gentoo-sources-3.4.91
> > > > ~sys-kernel/gentoo-sources-3.10.40
> > > > =sys-kernel/gentoo-sources-3.10.41
> > > > ~sys-kernel/gentoo-sources-3.12.20
> > > > =sys-kernel/gentoo-sources-3.12.21
> > > > ~sys-kernel/gentoo-sources-3.14.4
> > > > =sys-kernel/gentoo-sources-3.14.5
> > 
> > Mike,
> > 
> > since you responded here, what do you think about this p.mask entry?
> > Should we keep these in the tree?
>  
> William,
> 
> At what point do we not care about users who have not upgraded and will
> miss this security message? 
 
 I would say that's more up to you as the maintainer, but put something
 to the affect in the mask comment.

 # This mask will be removed <whenever>

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Wed, Jan 07, 2015 at 01:08:21PM -0600, William Hubbs wrote:
> On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> > On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > > All,
> > William,
> > 
> > At what point do we not care about users who have not upgraded and will
> > miss this security message? 
>  
>  I would say that's more up to you as the maintainer, but put something
>  to the affect in the mask comment.
> 
>  # This mask will be removed <whenever>
> 
> William
> 

Fair enough. This question is to anyone that supports users and works on
bugs.  Especially the portage devs. At what point do you say to a user
that their system is so old that they really need to upgrade?

2 years, 1 year, < 1 year?  Maybe that's a good thing to state in documentation.

"For a fully supported and "reasonably secure as possible" Gentoo system, the
distribution expects users to update at least X times a year. Notice of
insecure or potentially harmful packages is not guaranteed one year after
official notification."

Mike


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail     : mpagano@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Kernel Security masks (was: Re: [gentoo-dev] qa last rites multiple packages)

[Kristian Fiskerstrand]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 01/07/2015 07:48 PM, Kristian Fiskerstrand wrote:
> On 01/07/2015 07:22 PM, Mike Gilbert wrote:
>> On Wed, Jan 7, 2015 at 1:11 PM, William Hubbs
>> <williamh@gentoo.org> wrote:

...

> 
> 
> My two cents is that this is particularly true for kernel sources.
> For other applications GLSAs will take over the responsibility for
> the mask to ensure an upgrade path, however as we don't currently
> have a structured mechanism for kernels I support the mask
> personally.
> 

Adding on to this. If we follow up from the earlier thread on kernel
series stabilization. Could it be an idea to keep package masks for
LTS branches of the kernel at least, but as a <= rather than specific
kernel versions. As such this could be updated when new bugs are
announced without clobbering the p.masks file going forwards?

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUrZQcAAoJEPw7F94F4TagvT0P+wWHaz+//eOTehjbSEblJsSH
KsFxeUOpqJmuid82T2i5Ec1WtZZWG+KXh+I46zWgvyYMSKPi7/YC2S21vl9hhflX
HP7NXmvS2G9/Wi7JfVpNyxX4gMZI8Oksm0ZHg5PNr9sQmLWV56eTib4U7RdtODl5
T7CwZ/Rew8gyf9tTI7T6VNM7+inyMpjaFy3v0eD4EPkRw/ZB7tPWWLrDN0yN70Lw
w8cm0SPEXuuVB80OegAsf5+qSMvOGgC9b94WGbHTsgQ5v21GMFwki6hfLHyZSyfc
+dA/9LvWF1L9Og5uNXQqOzOOU5fa95+q5ZzzLwYUA9JwF+/RpHisvBDofCNtXx7X
0xKpn79pmkEsqhymzFxjxj9zYrUl3mmGudThQ0E6zn2giTTM2jqK/ygID4VognPW
C/ucIKQlcPuVzo7KaSBY8mE2UhMjccftcvsj09XPnsxrfVSSlfMaIHC6dLyJvbr2
K34+IVOIJ5FqhzlRtx1X7kWpqe3NY4Ryr5LInxMH/lmnFMjm5+keylZM+wMzlEn1
8xGFBiycXDQ3gfeQ4n+bVLQAf5rXXgF+iG03mRwrSXae360KP+IxJJDyazcNn3SH
VlIQ67o/05ES3HgZ/kirOosWIYQG47VD8ON2OVlfjz34P2G2fRWuJetMT6bLTMEc
cw+j/yn2gLYBhxR6EAyz
=27qK
-----END PGP SIGNATURE-----

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1318 bytes --]

On Wed, Jan 07, 2015 at 02:48:01PM -0500, Mike Pagano wrote:
> On Wed, Jan 07, 2015 at 01:08:21PM -0600, William Hubbs wrote:
> > On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> > > On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > > > All,
> > > William,
> > > 
> > > At what point do we not care about users who have not upgraded and will
> > > miss this security message? 
> >  
> >  I would say that's more up to you as the maintainer, but put something
> >  to the affect in the mask comment.
> > 
> >  # This mask will be removed <whenever>
> > 
> > William
> > 
> 
> Fair enough. This question is to anyone that supports users and works on
> bugs.  Especially the portage devs. At what point do you say to a user
> that their system is so old that they really need to upgrade?
> 
> 2 years, 1 year, < 1 year?  Maybe that's a good thing to state in documentation.

We already have a distro policy about this. I put ulm on this email
specifically, because he knows where the link is, and I don't right now.

Basically, at the distro level, anything over a year old is fair game to
be dropped.

William

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 1859 bytes --]

On Wed, Jan 07, 2015 at 04:33:19PM -0600, William Hubbs wrote:
> On Wed, Jan 07, 2015 at 02:48:01PM -0500, Mike Pagano wrote:
> > On Wed, Jan 07, 2015 at 01:08:21PM -0600, William Hubbs wrote:
> > > On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> > > > On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > > > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > > > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > > > > All,
> > > > William,
> > > > 
> > > > At what point do we not care about users who have not upgraded and will
> > > > miss this security message? 
> > >  
> > >  I would say that's more up to you as the maintainer, but put something
> > >  to the affect in the mask comment.
> > > 
> > >  # This mask will be removed <whenever>
> > > 
> > > William
> > > 
> > 
> > Fair enough. This question is to anyone that supports users and works on
> > bugs.  Especially the portage devs. At what point do you say to a user
> > that their system is so old that they really need to upgrade?
> > 
> > 2 years, 1 year, < 1 year?  Maybe that's a good thing to state in documentation.
> 
> We already have a distro policy about this. I put ulm on this email
> specifically, because he knows where the link is, and I don't right now.
> 
> Basically, at the distro level, anything over a year old is fair game to
> be dropped.
Ok, here it is:

the council decided that the portage tree must provide an upgrade path
to a stable system which hasn't been upgraded for one year [1].

That's pretty general. What I would say about the kernel situation is,
it should be up to the maintainers, and it can be removed sooner if
g-sources-3.17.0 was never stabled.

William

[1] http://www.gentoo.org/proj/en/council/meeting-logs/20091109-summary.txt

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 1312 bytes --]

On Wed, 7 Jan 2015 12:11:04 -0600 William Hubbs wrote:
> On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
> > On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
> > > If you remove the mask, users will no longer be warned that they are
> > > using a flawed copy of the kernel sources.
> > > 
> > > Thus, Mike's question about timing.
> > > 
> > 
> > Exactly.
> 
> This should be a different thread then since  this wasn't in the list I
> originally posted.
> 
> However,
> 
> this is considered an invalid package.mask entry since the package that
> was being masked is no longer in the tree [1].
> 
> This is just something that QA or anyone can clean up as far as I know.
> We don't worry about masking packages that no longer exist in the tree.
> 
> William
> 
> [1] http://qa-reports.gentoo.org/output/invalid-mask.txt

Probably this policy should be changed. It is a common (yet not
enfroced) rule to support at least one year old setups. Thus masks
should remain at least one year after package (or affected version
(s)) was removed from tree. People can't emerge world daily.

IMO it will hurt no-one to retain that list forever, maybe put it
to something like package.mask.obsolete and update PMS to support
it.

Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Andrew Savchenko]

[-- Attachment #1: Type: text/plain, Size: 2577 bytes --]

On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote:
> All,
> 
> these packages have been masked in the tree for months - years with no
> signs of fixes.

Some of them are binary packages or have no fixes upstream. If
there are no alternatives in tree for a package, and it works fine
(despite some bugs or issues), then let it be. If package is
broken, doesn't compile and upstream is dead, this is a possible
candidate for removal.

> # Ulrich Müller <ulm@gentoo.org> (15 Jul 2014)
> # Permanently mask sys-libs/lib-compat and its reverse dependencies,
> # pending multiple security vulnerabilities and QA issues.
> # See bugs #515926

This is just QA.

> games-fps/rtcw

Works fine here. While there are possible security issues due to
510960, it is perfectly safe to be used in isolated environment
(e.g. a local game in a separate container).

> # Chris Gianelloni <wolf31o2@gentoo.org> (03 Mar 2008)
> # Masking due to security bug #194607 and security bug #204067
> games-fps/doom3
> games-fps/doom3-cdoom
> games-fps/doom3-chextrek
> games-fps/doom3-data
> games-fps/doom3-demo
> games-fps/doom3-ducttape
> games-fps/doom3-eventhorizon
> games-fps/doom3-hellcampaign
> games-fps/doom3-inhell
> games-fps/doom3-lms
> games-fps/doom3-mitm
> games-fps/doom3-phantasm
> games-fps/doom3-roe

Only doom3 is vulnerable here, other pacakegs s are just deps.
Both vulnerabilities are remote, so local users (e.g. if someone
just wants to play original doom3 without multiplayer game) are
perfectly safe.

Yet this issue may be fixed: doom3 released source code under GPL-3:
https://github.com/id-Software/DOOM-3
Maybe doom3 should be renamed to doom3-bin (if someone needs it for
whatever reason), and doom3 should be readded as a GPL-3 version.
Doom3 build from source works great for me.

Security issues are just format string handlings and should be easy
to fix with source code available, though considering how picky is
games team for changing network code outside of upstream, I really
doubt such patches have a chance to come to the tree.

> # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
> # masked pending unresolved security issues #127167
> games-roguelike/slashem
> 
> # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
> # masked pending unresolved security issues #125902
> games-roguelike/nethack
> games-util/hearse

Upstream doesn't consider these issues as bugs at all. This is a
clash of incompatible permission policies by games team and
nethack.
 
Best regards,
Andrew Savchenko

[-- Attachment #2: Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 3122 bytes --]

On Thu, Jan 08, 2015 at 04:26:02AM +0300, Andrew Savchenko wrote:
> On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote:
> > All,
> > 
> > these packages have been masked in the tree for months - years with no
> > signs of fixes.
> 
> Some of them are binary packages or have no fixes upstream. If
> there are no alternatives in tree for a package, and it works fine
> (despite some bugs or issues), then let it be. If package is
> broken, doesn't compile and upstream is dead, this is a possible
> candidate for removal.
> 
> > # Ulrich Müller <ulm@gentoo.org> (15 Jul 2014)
> > # Permanently mask sys-libs/lib-compat and its reverse dependencies,
> > # pending multiple security vulnerabilities and QA issues.
> > # See bugs #515926
> 
> This is just QA.
> 
> > games-fps/rtcw
> 
> Works fine here. While there are possible security issues due to
> 510960, it is perfectly safe to be used in isolated environment
> (e.g. a local game in a separate container).
> 
> > # Chris Gianelloni <wolf31o2@gentoo.org> (03 Mar 2008)
> > # Masking due to security bug #194607 and security bug #204067
> > games-fps/doom3
> > games-fps/doom3-cdoom
> > games-fps/doom3-chextrek
> > games-fps/doom3-data
> > games-fps/doom3-demo
> > games-fps/doom3-ducttape
> > games-fps/doom3-eventhorizon
> > games-fps/doom3-hellcampaign
> > games-fps/doom3-inhell
> > games-fps/doom3-lms
> > games-fps/doom3-mitm
> > games-fps/doom3-phantasm
> > games-fps/doom3-roe
> 
> Only doom3 is vulnerable here, other pacakegs s are just deps.
> Both vulnerabilities are remote, so local users (e.g. if someone
> just wants to play original doom3 without multiplayer game) are
> perfectly safe.
> 
> Yet this issue may be fixed: doom3 released source code under GPL-3:
> https://github.com/id-Software/DOOM-3
> Maybe doom3 should be renamed to doom3-bin (if someone needs it for
> whatever reason), and doom3 should be readded as a GPL-3 version.
> Doom3 build from source works great for me.

This would be for the maintainers to decide, but if it is under gpl3
now, I would vote for adding the new version and getting rid of the old
one. I don't see a need to keep a binary proprietary product if the new
one is gpl'd.

This is why I posted this last rites, to get people to look at the
packages. :-)

William

> 
> Security issues are just format string handlings and should be easy
> to fix with source code available, though considering how picky is
> games team for changing network code outside of upstream, I really
> doubt such patches have a chance to come to the tree.
> 
> > # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
> > # masked pending unresolved security issues #127167
> > games-roguelike/slashem
> > 
> > # Tavis Ormandy <taviso@gentoo.org> (21 Mar 2006)
> > # masked pending unresolved security issues #125902
> > games-roguelike/nethack
> > games-util/hearse
> 
> Upstream doesn't consider these issues as bugs at all. This is a
> clash of incompatible permission policies by games team and
> nethack.
>  
> Best regards,
> Andrew Savchenko



[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Sergei Trofimovich]

[-- Attachment #1: Type: text/plain, Size: 288 bytes --]

On Tue, 6 Jan 2015 17:47:10 -0600
William Hubbs <williamh@gentoo.org> wrote:

> # Michael Weber <xmw@gentoo.org> (9 Jul 2013)
> # Masked for security bug 450746, CVE-2012-6095
> <net-ftp/proftpd-1.3.4c

Was removed in May 20140. I've removed mask itself today.

-- 

  Sergei

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-dev] qa last rites multiple packages

[Robin H. Johnson]

On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> # Sergey Popov <pinkbyte@gentoo.org> (04 Sep 2014)
> # Security mask, wrt bugs #488212, #498164, #500260,
> # #507802 and #518718
> <virtual/mysql-5.5
> <dev-db/mysql-5.5.39
The only upgrade path still supported is via MySQL 5.1; so we need to a
single 5.1 build.

> <dev-db/mariadb-5.5.39
Nothing matches this mask anymore.

> # Ulrich Müller <ulm@gentoo.org> (15 Jul 2014)
> # Permanently mask sys-libs/lib-compat and its reverse dependencies,
> # pending multiple security vulnerabilities and QA issues.
> # See bugs #515926 and #510960.
...
> sys-block/afacli
There is no replacement for AACRAID admin.

> # Sergey Popov <pinkbyte@gentoo.org> (20 Mar 2014)
> # Security mask of vulnerable versions, wrt bug #424167
> <net-nds/openldap-2.4.35
- As Patrick noted, we need to keep one 2.3.x version, for those that
  need to interact with other systems, as replication does not work
  between different major versions.
- Can somebody from s390 & ppc64 please stabilize a newer build as well,
  you're both back on 2.4.30 as well; per bug #516108.



> # <klieber@gentoo.org> (01 Apr 2004)
> # The following packages contain a remotely-exploitable
> # security vulnerability and have been hard masked accordingly.
> #
> # Please see http://bugs.gentoo.org/show_bug.cgi?id=44351 for more info
> #
> games-fps/unreal-tournament-goty
> games-fps/unreal-tournament-strikeforce
> games-fps/unreal-tournament-bonuspacks
> games-fps/aaut
The games themselves still work, and are lots of fun.

export YES_I_ACCEPT_THIS_SECURITY_RISK_I_WANT_MY_GAME=1

-- 
Robin Hugh Johnson
Gentoo Linux: Developer, Infrastructure Lead
E-Mail     : robbat2@gentoo.org
GnuPG FP   : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85