From: William Hubbs <williamh@gentoo.org>
To: gentoo-project@lists.gentoo.org
Cc: Richard Freeman <rich0@gentoo.org>, Sergey Popov <pinkbyte@gentoo.org>
Subject: Re: [gentoo-project] Council meeting 2015-01-13: call for agenda items
Date: Wed, 7 Jan 2015 13:35:17 -0600 [thread overview]
Message-ID: <20150107193517.GA7953@linux1> (raw)
In-Reply-To: <CAGfcS_mzh5yeXQm3QhGweeFU0EyFwqqbD6a+iY9OpDt1yY-oVw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1954 bytes --]
On Wed, Jan 07, 2015 at 12:45:07PM -0500, Rich Freeman wrote:
> On Wed, Jan 7, 2015 at 11:30 AM, William Hubbs <williamh@gentoo.org> wrote:
> > That's the whole point of a last rites, to get people to step up and
> > take responsibility for packages. Also, this was cleared with the qa
> > lead before it was ever sent out.
>
> Define "take responsibility for packages." As far as I'm aware there
> is no policy that requires maintainers to fix any upstream bug, and
> security issues are almost always upstream bugs.
You're right, there isn't a requirement for us to fix upstream bugs, and
there shouldn't be.
>
> A package with a security bug for 10 years could be perfectly
> well-maintained, with regular updates/etc as often as upstream
> publishes them. Some software projects are fairly mature and don't
> get a lot of upstream updates, so a package might be untouched for 5
> years and have security issues and still be "well-maintained."
>
> I think the solution to this is to have the community agree on just
> what "well-maintained" actually means and documenting this as policy,
> versus just making individual judgment calls. To be sure there will
> still be grey areas, but I think that right now the policies are too
> vague to try to enforce something like this.
Based on our conversation on irc, what about this -- this is really
about information in package.mask.
If we want to keep proprietary packages with security issues in the
tree, they should be marked as proprietary in package.mask so it is
obvious that they will never be fixed.
If there is an upstream security issue with a non-proprietary
package:
When a version or revision with the fix is available, it should be
fast stabled. Once that is done, all older versions should be removed
if possible. if this is not possible right away, the older versions
should go in p.mask with a removal date.
Thoughts?
William
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
next prev parent reply other threads:[~2015-01-07 19:35 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-27 12:34 [gentoo-project] Council meeting 2015-01-13: call for agenda items Andreas K. Huettel
2014-12-28 11:43 ` Anthony G. Basile
2014-12-28 11:57 ` Michał Górny
2014-12-28 16:45 ` Andreas K. Huettel
2014-12-28 16:54 ` Michał Górny
2014-12-29 0:02 ` Patrick Lauer
2014-12-29 20:57 ` Matthew Thode
2014-12-29 21:44 ` Andreas K. Huettel
2014-12-30 0:18 ` Alex Legler
2014-12-30 14:20 ` Anthony G. Basile
2014-12-30 15:05 ` Rich Freeman
2014-12-30 16:18 ` Anthony G. Basile
2014-12-30 4:59 ` Dean Stephens
2014-12-29 19:34 ` hasufell
2014-12-29 20:06 ` Rich Freeman
2014-12-29 21:02 ` Matthew Thode
2014-12-30 2:22 ` hasufell
2014-12-30 2:47 ` Rich Freeman
2014-12-30 5:00 ` Dean Stephens
2014-12-30 8:28 ` Ciaran McCreesh
2014-12-30 11:31 ` Rich Freeman
2014-12-30 14:25 ` hasufell
2014-12-30 15:12 ` Rich Freeman
2014-12-30 20:51 ` hasufell
2014-12-31 4:19 ` Dean Stephens
2015-01-04 23:27 ` hasufell
2015-01-05 4:38 ` Dean Stephens
2015-01-05 14:06 ` hasufell
2015-01-06 4:25 ` Dean Stephens
2015-01-07 13:03 ` Rich Freeman
2015-01-07 16:30 ` William Hubbs
2015-01-07 17:45 ` Rich Freeman
2015-01-07 19:35 ` William Hubbs [this message]
2015-01-07 21:21 ` Andrew Savchenko
2015-01-08 15:05 ` William Hubbs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150107193517.GA7953@linux1 \
--to=williamh@gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
--cc=pinkbyte@gentoo.org \
--cc=rich0@gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox