On Wed, 6 Jul 2016 23:13:55 +0300 Andrew Savchenko wrote: > On Wed, 06 Jul 2016 20:23:46 +0900 Aaron Bauman wrote: > > What kind of policing would you like to see councilman? Would you like to > > see me removed from the project, because your precious package was > > p.masked? You have ignored every thing I have said regarding your > > inability to work with the security team. Even after an apology from me > > and a request to work with us you continue on with the rhetoric of powers. > > It displays a lot about your inability to work with others. > > > > No other developer is complaining... it is *literally* only you. > > It is really not just him. I do not agree with media-video/motion > pmask with 30-days removal term. But I had not pushed this issue > hard, since I'm not a maintainer of this package. > > If this package would have been masked without removal term, I can > at least accept if not agree with such action. But there is no > other alternative for this package and security bugs are not > critical (at least they do not affect many use cases at all). So > removal from the tree will harm our users sufficiently. > > When approach is "mask until issues are resolved, so that users are > informed about security hazard" — it sounds reasonable, and we > already have several packages in the tree this way. But when > approach is to purge package from the tree in 30 days regardless of > severity of security flaws and ignoring the fact that there is > nothing to replace this package with — this is not a kind of the > policy I'd like to see in Gentoo. > > Please understand me correctly: I'm not blaming you or security > team for this or that issue. But it looks like security team indeed > needs to review some policies and approaches to suit needs of > Gentoo users better in both of terms of security and usability, to > find some reasonable compromise between them, which will satisfy > most users. For these very issues it looks like canceling "removal > in 30 days" clause from p.mask action will do the job.
One more package to the list: app-cdr/xcdroast. It was being tree cleaned[1] due to a minor security flaw (o+r on suid binary) on optional functionality disabled by default (so users have to enable that suid binary themselves each time after package update). And despite multiple calls from users (see user comments on [1] and read whole thread [2]) saying they need this package, they were asked by security team to "stop spamming this bug"[3]. Such actions in my opinion make more harm then good by deteriorating user experience and number of choices available, while bringing only small and not always meaningful security improve. So it looks like that both security and treecleaners teams need to review their policies or at least discuss these problems publicly in more detail. Looks like one such discussion is emerging in thread [4]. [1] https://bugs.gentoo.org/show_bug.cgi?id=345337 [2] https://archives.gentoo.org/gentoo-user/message/6ef4447b7ffa34910ed203f4fff73cfc [3] https://bugs.gentoo.org/show_bug.cgi?id=345337#c18 [4] https://archives.gentoo.org/gentoo-dev/message/b39c9b7365f0482ed1d5236d9ae2f6f4 Best regards, Andrew Savchenko
pgpXpl0MilrPI.pgp
Description: PGP signature
