J. Roeleveld posted on Wed, 06 Jul 2016 20:22:57 +0200 as excerpted: > On Thursday, June 30, 2016 10:30:07 PM Aaron Bauman wrote: >> # Aaron Bauman <b...@gentoo.org> (30 Jun 2016) >> # Unpatched security vulnerability per bug #509920. >> # Removal in 30 days www-apps/egroupware > > Why is this bug being used to treeclean egroupware? > > Why is bug 461212 not being used to actually resolve the issue? > If I would actually be confident that it would actually be used, I would > have no issue on trying to get my latest ebuild ( version 14.3.20160525 > ) converted to the latest standards.
According to equery meta, egroupware has no individual developer maintainer and no proxied maintainer, only the webapps project as maintainer. And apparently there, nobody has been specifically interested in egroupware, so it has fallen thru the cracks to some degree, tho newer versions /may/ be in the webapps-experimental overlay. Here's the webapps project wiki page: https://wiki.gentoo.org/wiki/Project:Webapps That has this to say when discussing the overlay, quote: Web applications in general tend to be a severe security liability. They are designed to communicate with the outside world and need to deal with a range of input from the Internet. Since it is often hard for developers to foresee all types of malicious input, security flaws are being detected rather frequently in the apps we maintain. To reduce the impact of such incidents while still offering a wide range of different web applications, we created a Portage overlay that contains ebuilds for applications that we do not want to maintain in the main tree. Such applications either lack a developer willing to maintain it in Portage or have not been reviewed for security. The overlay can be found here: https://cgit.gentoo.org/proj/webapps-experimental.git/ Warning Please remember that the applications available through the overlay might compromise the security of your server! The overlay is an ideal playground for new developers wishing to join our team. Once we see that you are capable of writing ebuilds of reasonable quality, we can provide you with commit rights to the overlay. End quote. So it's possible newer versions are in the overlay, and they simply decided it was too much of a load to keep a version in the tree as well. If there /aren't/ newer versions in the overlay, presumably it's because nobody that has access has been interested in maintaining it in the overlay either. Either way, given your obvious interest, I'd suggest contacting them about overlay commit rights, and/or volunteering to be the proxied maintainer for this particular package. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman
