On 7/6/16 7:23 AM, Aaron Bauman wrote: > On Wednesday, July 6, 2016 8:15:24 PM JST, Anthony G. Basile wrote: >> On 7/6/16 6:54 AM, Aaron Bauman wrote: >>> On Wednesday, July 6, 2016 5:10:25 PM JST, Anthony G. Basile wrote: ... >> >> Except that I state such facts BEFORE the p.mask and you ignored it. >> Referring to bug #473770: >> >> <Comment #2> >> >> (In reply to Anthony Basile from comment #1) >>> The CVE for this has gone nowhere. See >>> >>> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2013-2183 >>> >>> There are no references and I can't get at the upstream bug report >>> anymore >>> since they moved to github. >> >> Actually, I found it. Its fixed: >> >> https://github.com/monkey/monkey/issues/93 >> >> </Comment #2> >> >> <Comment #3> >> >> Aaron Bauman gentoo-dev Security 2016-07-01 01:39:40 UTC >> >> # Aaron Bauman <[email protected]> (1 Jul 2016) >> # Unpatched security vulnerabilities and dead upstream >> # per bugs #459274 and #473770 Removal in 30 days >> www-servers/monkeyd >> >> </Comment #3> >> >> >> People reading following this can clearly see the problem here. >> >> I'm also disappointed that no one else in the security team has >> recommended any internal policing in response to this. I maintain that >> forced p.masking and version bumping should not be done by the security >> team but passed to QA for review. Only QA is mandated with such powers >> by GLEP 48. >> > > What kind of policing would you like to see councilman?
Policing also has the meaning of policy-ing. I'd like to see better policies within the security team for escalation of security bugs. I'm suggesting passing the review onto QA, but it looks like K_F (from his other email) has other ideas which may better for a workflow. > Would you like > to see me removed from the project, because your precious package was > p.masked? I never said anything to that effect. I'm arguing a point for better policy-ing and I'm not satisfied by your solution that developers need to just better document when a security issue is fixed. monkeyd is an important package. > You have ignored every thing I have said regarding your > inability to work with the security team. Even after an apology from me > and a request to work with us you continue on with the rhetoric of > powers. It displays a lot about your inability to work with others. The problem is not an apology which I appreciate. The problem is we need better expectations of when a package is going to get p.masked on you. p.masking a package which a notice of 30 days until removal sends a very bad message to users who depend on it. Proceeding as the security team has, there is no way for a developer to know what's about to happen. Consider, I thought I'd answered the issue with bug #473770 with comment #2. > > No other developer is complaining... it is *literally* only you. > NP-Hardass's case was not even a security bug nor handled by the > security team. One of the bugs for monkeyd led to additional discovery > of insecurities regarding log files, but it took a p.mask to get your > attention. Quit pushing an agenda and work with others to make Gentoo > more secure. Everyone else is. > >> It doesn't matter, there is a problem here which needs to be addressed. I'm complaining because we need to fix a problem in our workflow. It sounds like K_F is working on a glep for that, which I applaud. > > -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : [email protected] GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
