Re: [gentoo-project] Council meeting 2015-01-13: call for agenda items

[William Hubbs <williamh@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1782 bytes --]

On Thu, Jan 08, 2015 at 12:21:18AM +0300, Andrew Savchenko wrote:
> Hello,
> 
> On Wed, 7 Jan 2015 13:35:17 -0600 William Hubbs wrote:
> > If we want to keep proprietary packages with security issues in the
> > tree, they should be marked as proprietary in package.mask so it is
> > obvious that they will never be fixed.
> > 
> > If there is an upstream security issue with a non-proprietary
> > package:
> > 
> > When a version or revision with the fix is available, it should be
> > fast stabled.  Once that is done, all older versions should be removed
> > if possible.  if this is not possible right away, the older versions
> > should go in p.mask with a removal date.
> > 
> > Thoughts?
> 
> What about open source packages with no fixes or where doesn't
> consider bug as a security issue? Good example is
> games-roguelike/nethack, bug 125902, where upstream doesn't
> consider issue as a security problem and for many setups (e.g.
> personal device with single user is the games group) this is not a
> problem at all?
 
I just read through this bug, and I see it the same way most people who
posted to the bug see it. It is a major flaw in how our games policies
were designed. Since it is known that we are moving toward getting rid
of games.eclass, and this is a popular game, whoever takes over
maintenance should make fixing this a high priority.

If I were taking over this game, I would immediately look into rewriting
the ebuild to not use games.eclass.

> IMO packages (not specific versions, but whole packages) should not
> be removed if they work. Maybe masked, but no more.

The problem is that defining "work" is too vague. I would rather not see
something like this statement made into a distro-wide policy.

William

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]