<snip> > The package was masked due to a miscommunication with the Gentoo > Security project. > > While it is true that the way opentmpfiles is currently implemented > allows for certain races, from the security point of view, you always > have to classify the vulnerability in context of your threat model > because security depends on multiple layers (onion model). <snip>
I would like to respectfully point out that this makes 1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless") 2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account). https://www.gentoo.org/support/security/vulnerability-treatment-policy.html -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice)
signature.asc
Description: This is a digitally signed message part.
