On 05/09/2017 04:12 AM, Rich Freeman wrote: > On Tue, May 9, 2017 at 12:23 AM, Yury German <bluekni...@gentoo.org> wrote: >> >> we can not call for cleanup or release the GLSA, >> waiting for a stabilization of a non-core package, while the actual >> package has been in a tree in ~arch status for weeks or months. > > Why not? If an arch is considered a non-security-supported arch then > you would just ignore it in a security bug. >
For example, I can't remove the ancient and vulnerable nagios-3.5.1 because an alternative is missing keywords: https://bugs.gentoo.org/show_bug.cgi?id=605724 If I drop nagios-3.5.1 without the keywords, pnp4nagios breaks.