On 7/6/16 6:54 AM, Aaron Bauman wrote: > On Wednesday, July 6, 2016 5:10:25 PM JST, Anthony G. Basile wrote: >> On 7/5/16 10:52 PM, NP-Hardass wrote: >>> I think it is a little bit of a stretch to say that he's the only one to >>> have an issue. Now, I've spoken with the parties involved, so my issue >>> is resolved, but I had a package of mine bumped in the name of security >>> without being pinged/consulted at all. I'm not attempting to point >>> blame at anyone, but merely show that there are others who have been ... >> >> I agree that a ping is the necessary first step, but I'm afraid of a >> dispute between the maintainer and the security team. Bug #459274, >> which I discussed in my previous email, should never have been file and >> should never have been acted on. If the security team feels they must >> touch a package, I'd like to have QA review it. The QA leadership is >> ratified by the council and has a long history of dealing with these >> sorts of issues which are tried and true. >> >> > > So just state such facts, as you did following the p.mask, and all would > be well. It really has been and continues to be that simple. >
Except that I state such facts BEFORE the p.mask and you ignored it. Referring to bug #473770: <Comment #2> (In reply to Anthony Basile from comment #1) > The CVE for this has gone nowhere. See > > http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 > > There are no references and I can't get at the upstream bug report anymore > since they moved to github. Actually, I found it. Its fixed: https://github.com/monkey/monkey/issues/93 </Comment #2> <Comment #3> Aaron Bauman gentoo-dev Security 2016-07-01 01:39:40 UTC # Aaron Bauman <b...@gentoo.org> (1 Jul 2016) # Unpatched security vulnerabilities and dead upstream # per bugs #459274 and #473770 Removal in 30 days www-servers/monkeyd </Comment #3> People reading following this can clearly see the problem here. I'm also disappointed that no one else in the security team has recommended any internal policing in response to this. I maintain that forced p.masking and version bumping should not be done by the security team but passed to QA for review. Only QA is mandated with such powers by GLEP 48. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
