Alec Warner wrote: > Currently mgorny is the listed maintainer of boa. What if instead of a > bunch of CVEs he just decided he had better things to do with his > time. > He last-rites the package, giving a 90d deadline for the package to > find a new owner. > No one cares to maintain boa, so no one steps up, and the package is > removed after 90d.
That would be perfectly fine of course. Note that mgorny protested in the lastrite bug way before my mail. > I think the current state is that no one with commit access to > ::gentoo cares, so it will be removed unless someone changes their > mind. That seems accurate. John Helmert III wrote: > > Do you continue to believe that boa has vulnerabilites involving files > > and functionality (as mentioned by the maintainer mgorny in #882773#c1) > > which do not exist in the package? > > Just like it isn't your responsibility to "cleanup NVD", it's not my > responsibility to authoritatively verify every CVE that Gentoo > Security acts upon. Of course not by others in Gentoo Security, but I think it is for inputs that you yourself act on. (Everyone of course and I am mindful to do it too.) > Even if I did make such a judgement, I will *not* risk my being > wrong and exposing Gentoo users to vulnerabilities unecessarily, > even when prompted to by users on mailing lists. Your nginx example seemed to say otherwise. It's good to be afraid of being wrong but then please work with trusted peers to feel confident about being right instead of racing to bottom quality. Since you don't trust my analysis of both versions of the source code published by upstream please do collect further analysis from peers, so as to not be wrong in the opposite. > > The CVEs are obviously invalid and yes someone could contribute time > > to clean up NVD but I honestly don't think that either upstream or > > myself can reasonably be made responsible for invalid CVEs submitted > > by third parties. > > Again, we're not making judgements about "obviously invalid". I do think Gentoo Security needs to validate. *scratches head* This is obviously the most interesting part of this thread. > The time you've spent arguing with us on gentoo-dev could've been > easily spent asking upstream about the issue. I verified the three CVEs to be non-issues, what is there for me to ask upstream about? I analyzed the source code before sending my first mail and confirmed that the CVEs do not exist in boa. That's why I sent the mail saying that the reports are false. A lastrite commit in Gentoo based on invalid CVEs has little to do with upstream. You're reversing the burden of proof based on a false claim. > > I disagree, that's only a good way to measure how many distributions care. > > Which is *precisely* the point I'm making. If distributions with many > times the resources of Gentoo don't care to package it, that's a bad > indicator of how well the package is taken care of. How can you know why someone else does or *doesn't* do something? That's absurd. > > Each distribution has its own dynamic (but actually distributions also > > tend to herd behavior) You really leaned into the herd behavior there. :\ > > Again: Impact shouldn't matter, correctness should. > > And again, I'm generally not going to be validating every CVE ever for > correctness. Only those you act on. > > > It generally can't work better with MITRE being useless in many > > > cases. Yes, the CVEs seem garbage, but I can't say that > > > authoritatively, so I don't. > > > > What would convince you? > > Anything from upstream, or a withdrawal of the CVEs, or a notice from > the CVE reproters that they're invalid. But I really don't understand > why anybody cares about this leaf package that nobody actually seems > to use, including you. Imagine that I fork boa to a project called boah, change nothing but the version number, create a release and then tell you again that the three CVEs are invalid for both boa and boah. //Peter
