Re: [gentoo-dev] [RFC] Removing separate "security supported" arch list
On 2021-10-21 17:16, Mike Gilbert wrote: On Thu, Oct 21, 2021 at 4:05 AM Michał Górny wrote: 4. In the end, Security team isn't really respecting this policy. In the end, this leads to absurdities like GLSA being released before a package is stable on amd64, and confusing the users [4]. This is certainly an absurd mistake, but I think it is unrelated to the topic of your message. It looks like Whissi jumped the gun on releasing a GLSA, which could happen regardless of the policy. Am I missing some context? Yeah, #4 is bullshit. The security team was never happy with the situation to hold back GLSAs until last architecture was marked stable. Saying that we are not respecting our own own policy is absurd. The team discussed this in 2018 and we agreed that it is fine to already publish a GLSA in case a GLSA is ready and when at least one major architecture (amd64 or x86 at that time) was marked stable. That exception doesn't require a formal policy update. We even wanted to go one step further and release GLSA when no fixed version is available at all to inform users and give them a chance to take actions on their own (to be able to take actions on your own, i.e. you first need to be aware of a problem). However, this would be too complicated and would frustrate many users. The lived practice with releasing GLSA already when just one major architecture has set stable keyword (and in most cases we covered amd64 and x86 at release time) received good feedback and is accepted by users and didn't cause any problems (can't remember that we ever got GLSA feedback for other architectures than amd64 or x86). -- Regards, Thomas Deutschmann / Gentoo Linux Developer fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 OpenPGP_signature Description: OpenPGP digital signature
Re: [gentoo-dev] [PATCH] 2021-10-17-openssl-bindist-removal: openssl USE=bindist removal
On Sun, Oct 17, 2021 at 04:33:17PM -0700, robb...@gentoo.org wrote: > From: "Robin H. Johnson" > > Signed-off-by: Robin H. Johnson > --- > .../2021-10-17-openssl-bindist-removal.en.txt | 38 +++ > 1 file changed, 38 insertions(+) > create mode 100644 > 2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt No responses, so merged. -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robb...@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 signature.asc Description: PGP signature
[gentoo-dev] Last rites: dev-java packages using EAPI 5 with no revdeps
# Jakov Smolić (2021-10-22) # The following packages are still using EAPI 5 and # have no reverse dependencies. If you need or are # using any package from the list please update it # to newer EAPI and unmask it. # Removal on 2021-11-21. Bug #819507 dev-java/absolutelayout dev-java/backport-util-concurrent dev-java/beansbinding dev-java/blowfishj dev-java/btf dev-java/commons-chain dev-java/commons-dbcp dev-java/commons-dbutils dev-java/commons-discovery dev-java/commons-email dev-java/commons-graph dev-java/commons-launcher dev-java/commons-primitives dev-java/constantine dev-java/disruptor dev-java/dynalang dev-java/ecs dev-java/fastutil dev-java/forehead dev-java/freehep-graphicsio-emf dev-java/freehep-graphicsio-svg dev-java/geoip-java dev-java/glassfish-deployment-api dev-java/gnu-crypto dev-java/gnu-hylafax dev-java/hessian dev-java/hoteqn dev-java/htmlparser dev-java/htmlparser-org dev-java/istack-commons-runtime dev-java/istack-commons-soimp dev-java/jade dev-java/jamvm dev-java/jarjar dev-java/javacsv dev-java/jazzy dev-java/jetty-alpn-api dev-java/jetty-npn-api dev-java/jexcelapi dev-java/jfreechart dev-java/jlex dev-java/jlfgr dev-java/jmi-interface dev-java/jrexx dev-java/jsr181 dev-java/jssc dev-java/jtreemap dev-java/jts-core dev-java/juel dev-java/jump dev-java/jupidator dev-java/jutils dev-java/jvyaml dev-java/metadata-extractor dev-java/nachocalendar dev-java/netty-tcnative dev-java/offo-hyphenation dev-java/opencsv dev-java/pat dev-java/piccolo2d dev-java/reflectasm dev-java/reflectasm dev-java/rngom dev-java/rundoc dev-java/sablecc dev-java/sablecc-anttask dev-java/shared-objects dev-java/simplyhtml dev-java/sjsxp dev-java/snip dev-java/spice-jndikit dev-java/super-csv dev-java/tablelayout dev-java/telnetd dev-java/texhyphj dev-java/tomcat-jstl-compat dev-java/tomcat-jstl-el dev-java/toolbar dev-java/trident dev-java/txw2-runtime dev-java/vecmath dev-java/xml-writer dev-java/xsom -- Jakov OpenPGP_signature Description: OpenPGP digital signature
[gentoo-dev] Last rites: dev-python/cheetah-docs
# Arthur Zamarin (2021-10-22) # EAPI=5, no revdeps, dead upstream. As documentation only package, # upstream isn't even closely updated to latest API by cheetah. # Removal on 2021-11-21. Bug #819504. dev-python/cheetah-docs OpenPGP_signature Description: OpenPGP digital signature
[gentoo-dev] Last rites: dev-vcs/git-deploy, dev-vcs/cvsspam
# Jakov Smolić (2021-10-22) # No maintainer, EAPI 5, no revdeps, dead upstream. # Removal on 2021-11-21. Bug #819498 dev-vcs/git-deploy # Jakov Smolić (2021-10-22) # No maintainer, EAPI 5, no revdeps, dead upstream. # Removal on 2021-11-21. Bug #819495 dev-vcs/cvsspam -- Jakov OpenPGP_signature Description: OpenPGP digital signature
[gentoo-dev] Last rites: media-gfx/esci-interpreter-gt-s80
# Jakov Smolić (2021-10-22) # No maintainer, EAPI 5, no revdeps. # Removal on 2021-11-21. Bug #819492 media-gfx/esci-interpreter-gt-s80 -- Jakov OpenPGP_signature Description: OpenPGP digital signature
[gentoo-dev] Last rites: media-gfx/iscan-plugin-perfection-v370
# Jakov Smolić (2021-10-22) # No maintainer, EAPI 5, no revdeps. # Removal on 2021-11-21. Bug #819489 media-gfx/iscan-plugin-perfection-v370 -- Jakov OpenPGP_signature Description: OpenPGP digital signature
[gentoo-dev] Last rites: net-misc/bwwhois
# Sergey Popov (2021-10-22) # Upstream support discontinued, see https://bw.org/2019/03/19/bw-whois/ # Suggested replacement - net-misc/whois # Masked for removal on 2021-11-22 net-misc/bwwhois -- Best regards, Sergey Popov Gentoo developer