From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-project+bounces-4171-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id CCA2C138A1A
	for <garchives@archives.gentoo.org>; Thu,  8 Jan 2015 15:05:39 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A3810E080A;
	Thu,  8 Jan 2015 15:05:38 +0000 (UTC)
Received: from mail-ob0-f180.google.com (mail-ob0-f180.google.com [209.85.214.180])
	(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 28551E0807
	for <gentoo-project@lists.gentoo.org>; Thu,  8 Jan 2015 15:05:37 +0000 (UTC)
Received: by mail-ob0-f180.google.com with SMTP id wp4so8457252obc.11
        for <gentoo-project@lists.gentoo.org>; Thu, 08 Jan 2015 07:05:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=sender:date:from:to:subject:message-id:mail-followup-to:references
         :mime-version:content-type:content-disposition:in-reply-to
         :user-agent;
        bh=OGb0/7pel1TqckEIcoOzqXtzTYau/oeA0EfFqzyfW0U=;
        b=o2gJwFhdbZhuKedUeB+btPDS7LEYbVMEuJzeEhF5QRV9Y/sq56QGl5dtLrCUaQ4I2w
         3oLiFQT4RgvdHQbQiW/vAfoXzwBGlxVaDUdk4EXiydBSZmwJgoWH3r1oR7ilsL2yTu4t
         ZmSnln8hyQ37s3M8QTJvb0LgTW3avHphqjJRrx9Cc9n0BQigTNaQ8Dx9sZQmO1AuDozh
         +mv8sPOe7ocqtaYSbuKD48Su/pff0tgmH0e+Z7YjGQtPjUtFKvQzB38qgCRxetTyvG6l
         IEB7ofjxA9kxKWVMAKhLLDe+fO5yQ6t9fbd2A+/Srf0BYYk8YAmf21ddvhLJ+/uktCe8
         7FEQ==
X-Received: by 10.202.170.74 with SMTP id t71mr5470658oie.73.1420729537213;
        Thu, 08 Jan 2015 07:05:37 -0800 (PST)
Received: from linux1 (cpe-76-187-91-128.tx.res.rr.com. [76.187.91.128])
        by mx.google.com with ESMTPSA id mq8sm2862104oeb.2.2015.01.08.07.05.35
        for <gentoo-project@lists.gentoo.org>
        (version=TLSv1.2 cipher=RC4-SHA bits=128/128);
        Thu, 08 Jan 2015 07:05:35 -0800 (PST)
Sender: William Hubbs <w.d.hubbs@gmail.com>
Received: (nullmailer pid 14910 invoked by uid 1000);
	Thu, 08 Jan 2015 15:05:33 -0000
Date: Thu, 8 Jan 2015 09:05:33 -0600
From: William Hubbs <williamh@gentoo.org>
To: gentoo-project@lists.gentoo.org
Subject: Re: [gentoo-project] Council meeting 2015-01-13: call for agenda
 items
Message-ID: <20150108150533.GA14817@linux1>
Mail-Followup-To: gentoo-project@lists.gentoo.org
References: <201412271334.34252.dilfridge@gentoo.org>
 <CAGfcS_=_yAs72Q1sKGfNs+BADE3UUQFHcteY_kG0c7_XaguOaw@mail.gmail.com>
 <20150107163052.GA7151@linux1>
 <CAGfcS_mzh5yeXQm3QhGweeFU0EyFwqqbD6a+iY9OpDt1yY-oVw@mail.gmail.com>
 <20150107193517.GA7953@linux1>
 <20150108002118.4e788983796904090c47a072@gentoo.org>
Precedence: bulk
List-Post: <mailto:gentoo-project@lists.gentoo.org>
List-Help: <mailto:gentoo-project+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-project+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-project+subscribe@lists.gentoo.org>
List-Id: Gentoo Project discussion list <gentoo-project.gentoo.org>
X-BeenThere: gentoo-project@lists.gentoo.org
Reply-To: gentoo-project@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="PEIAKu/WMn1b1Hv9"
Content-Disposition: inline
In-Reply-To: <20150108002118.4e788983796904090c47a072@gentoo.org>
User-Agent: Mutt/1.5.22 (2013-10-16)
X-Archives-Salt: 54a53e97-92be-4bb7-a434-337832849838
X-Archives-Hash: 441961d4a19190d48b72e37a483127c4


--PEIAKu/WMn1b1Hv9
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jan 08, 2015 at 12:21:18AM +0300, Andrew Savchenko wrote:
> Hello,
>=20
> On Wed, 7 Jan 2015 13:35:17 -0600 William Hubbs wrote:
> > If we want to keep proprietary packages with security issues in the
> > tree, they should be marked as proprietary in package.mask so it is
> > obvious that they will never be fixed.
> >=20
> > If there is an upstream security issue with a non-proprietary
> > package:
> >=20
> > When a version or revision with the fix is available, it should be
> > fast stabled.  Once that is done, all older versions should be removed
> > if possible.  if this is not possible right away, the older versions
> > should go in p.mask with a removal date.
> >=20
> > Thoughts?
>=20
> What about open source packages with no fixes or where doesn't
> consider bug as a security issue? Good example is
> games-roguelike/nethack, bug 125902, where upstream doesn't
> consider issue as a security problem and for many setups (e.g.
> personal device with single user is the games group) this is not a
> problem at all?
=20
I just read through this bug, and I see it the same way most people who
posted to the bug see it. It is a major flaw in how our games policies
were designed. Since it is known that we are moving toward getting rid
of games.eclass, and this is a popular game, whoever takes over
maintenance should make fixing this a high priority.

If I were taking over this game, I would immediately look into rewriting
the ebuild to not use games.eclass.

> IMO packages (not specific versions, but whole packages) should not
> be removed if they work. Maybe masked, but no more.

The problem is that defining "work" is too vague. I would rather not see
something like this statement made into a distro-wide policy.

William

--PEIAKu/WMn1b1Hv9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlSunL0ACgkQblQW9DDEZTis7ACgkDIkOJjrmIbLjWmfULKS76/L
pKoAn0iruTrT3grq/v2kgi0JkgsOcglo
=Uj+X
-----END PGP SIGNATURE-----

--PEIAKu/WMn1b1Hv9--