Hi there, On Wednesday 06 September 2006 12:00, Jonas Fietz wrote: > paul kölle wrote: > > José González Gómez schrieb: > I think a better approach for this would be to have a kind of wiki web > hosted at whatever.gentoo.org, where admins would report their > success/failure using a given version of a package with a given set of use > flags. There already is an unofficial wiki. If you want something more official the new [1] Gentoo Knowledge Base might become what you're looking for.
> >> I would like to make a proposal here. What if no longer mantained > >> ebuilds were marked but not deleted? Let's say you have _x86 in > >> KEYWORDS for ebuilds/packages no longer mantained, that emerge is > >> aware of that and can inform us of this and that those ebuilds are > >> mantained in the portage tree for, let's say, a year WITH NO SECURITY > >> BACKPORTS on them. This would be kind of a end of life notice that > >> gives you some time to react. This way you still would be able to use > >> the ebuild at your own risk, and this wouldn't represent much extra > >> work load for the Gentoo devs, as the deletion process could be > >> automatic with the use of some scripts. What do you think? I haven't followed the Sunrise discussion so this might be dead wrong, but I think such ebuilds might have a new and totally unsupported security wise home there. (No flames please) > I am not sure about it, but I think that there are no GLSAs published > for deleted packages, so you would effectively not know if there was a > security problem. By the nature of how GLSAs are written, it might still > be that your version is marked as being vulnerable. (Most of the time it > is "<specific-version") Note that GLSAs are not issued for _all_ issues only those of a given severity. See Gentoo Linux Vulnerability Treatment Policy [1] for further details. [1] http://www.gentoo.org/proj/en/kbase/ [2] http://www.gentoo.org/security/en/vulnerability-policy.xml -- Sune Kloppenborg Jeppesen Gentoo Linux Security Team
pgpuDDqaKWOOk.pgp
Description: PGP signature
