Re: [gentoo-dev] qa last rites -- long list

2015-01-07 Thread Patrick Lauer 
On 01/07/15 06:24, William Hubbs wrote:
 All,
 
 Many packages have been masked in the tree for months - years with no
 signs of fixes.
 
 I am particularly concerned about packages with known security
 vulnerabilities staying in the main tree masked. If people want to keep
 using those packages, I don't want to stop them, but packages like this
 should be in an overlay, not the main tree.
 

 # Sergey Popov pinkb...@gentoo.org (20 Mar 2014)
 # Security mask of vulnerable versions, wrt bug #424167
 net-nds/openldap-2.4.35

Please leave at least one openldap-2.3 version around - replication
doesn't work between different major versions, so those of us stuck with
mummified linux need them (sigh)

Thanks,

Patrick

Re: [gentoo-dev] qa last rites -- long list

2015-01-07 Thread Philip Webb 
150106 William Hubbs wrote:
 Many packages have been masked in the tree for months - years
 with no signs of fixes.  I am particularly concerned
 about packages with known security vulnerabilities
 staying in the main tree masked.  If people want to keep those packages,
 I don't want to stop them, but packages like this should be in an overlay,
 not the main tree.

-- snip --

 # Tavis Ormandy tav...@gentoo.org (21 Mar 2006)
 # masked pending unresolved security issues #125902
 games-roguelike/nethack

-- snip --

This one is perfectly safe on a single-user system : please leave it there.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites -- long list

2015-01-07 Thread Matt Turner 
On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs willi...@gentoo.org wrote:
 On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
 150106 William Hubbs wrote:
 This one is perfectly safe on a single-user system : please leave it there.

 I'm not opposed to it staying in the tree under one of these conditions:

 1) fix it and remove the mask

 or

 2) remove the mask and add ewarns to the ebuild

Remove the mask that people have to see and actively disable in order
to install the software and replace it with ewarn messages that they
likely won't read?

I don't see the problem with versions with security vulnerabilities
masked in the tree. nethack in particular has been masked in the tree
since 2006, so we have some precedence.

Re: [gentoo-dev] qa last rites -- long list

2015-01-07 Thread Philip Webb 
150107 William Hubbs wrote:
 On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
 150106 William Hubbs wrote:
 Many packages have been masked in the tree for months - years
 with no signs of fixes.  I am particularly concerned
 about packages with known security vulnerabilities
 staying in the main tree masked.  If people want to keep those packages,
 I don't want to stop them, but packages like this should be in an overlay,
 not the main tree.
 -- snip --
  # Tavis Ormandy tav...@gentoo.org (21 Mar 2006)
  # masked pending unresolved security issues #125902
  games-roguelike/nethack
 -- snip --
 This one is perfectly safe on a single-user system : please leave it there.
 I'm not opposed to it staying in the tree under one of these conditions:
 1) fix it and remove the mask or

I'm a user, not a dev or a programmer.

 2) remove the mask and add ewarns to the ebuild

That looks more reasonable  something a dev could easily do.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites -- long list

2015-01-07 Thread William Hubbs 
On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
 150106 William Hubbs wrote:
  Many packages have been masked in the tree for months - years
  with no signs of fixes.  I am particularly concerned
  about packages with known security vulnerabilities
  staying in the main tree masked.  If people want to keep those packages,
  I don't want to stop them, but packages like this should be in an overlay,
  not the main tree.
 
 -- snip --
 
  # Tavis Ormandy tav...@gentoo.org (21 Mar 2006)
  # masked pending unresolved security issues #125902
  games-roguelike/nethack
 
 -- snip --
 
 This one is perfectly safe on a single-user system : please leave it there.

I'm not opposed to it staying in the tree under one of these conditions:

1) fix it and remove the mask

or

2) remove the mask and add ewarns to the ebuild

William



signature.asc
Description: Digital signature

[gentoo-dev] qa last rites -- long list

2015-01-06 Thread William Hubbs 
All,

Many packages have been masked in the tree for months - years with no
signs of fixes.

I am particularly concerned about packages with known security
vulnerabilities staying in the main tree masked. If people want to keep
using those packages, I don't want to stop them, but packages like this
should be in an overlay, not the main tree.

On 28 Jan, I will go through this list again, from oldest to newest,
first focusing on packages with known security issues. Any of these that
I find still in p.mask or with no fixes  but still in the
main tree will be removed then.

# Patrick Lauer patr...@gentoo.org (24 Nov 2014)
# Missing deps, uninstallable
app-misc/email2trac
www-apps/trac-downloads

# Jauhien Piatlicki jauh...@gentoo.org (5 Oct 2014)
# Masked because of bug 524390: privilege escalation
# until upstream fixes this security issue.
# Use at your own risk
x11-misc/sddm-0.10.0

# Sergey Popov pinkb...@gentoo.org (04 Sep 2014)
# Security mask, wrt bugs #488212, #498164, #500260,
# #507802 and #518718
virtual/mysql-5.5
dev-db/mysql-5.5.39
dev-db/mariadb-5.5.39

# Chí-Thanh Christopher Nguyễn chith...@gentoo.org (03 Sep 2014)
# Markos Chandras hwoar...@gentoo.org (02 Sep 2014)
# MSN service terminated.
# You can still use your MSN account in net-im/skype
# or switch to an open protocol instead
# Masked for removal in 30 days
net-im/amsn
x11-themes/amsn-skins

# Christian Faulhammer fa...@gentoo.org (02 Sep 2014)
# website not working anymore and will stay like this,
# tool is useless. See bug 504734
app-admin/hwreport

# Ulrich Müller u...@gentoo.org (15 Jul 2014)
# Permanently mask sys-libs/lib-compat and its reverse dependencies,
# pending multiple security vulnerabilities and QA issues.
# See bugs #515926 and #510960.
sys-libs/lib-compat
sys-libs/lib-compat-loki
games-action/mutantstorm-demo
games-action/phobiaii
games-emulation/handy
games-fps/rtcw
games-fps/unreal
games-strategy/heroes3
games-strategy/heroes3-demo
games-strategy/smac
sys-block/afacli

# Mike Gilbert flop...@gentoo.org (13 Jun 2014)
# Masked due to security bug 499870.
# Please migrate to net-misc/libreswan.
# If you are a Gentoo developer, feel free to pick up maintenence of openswan
# and remove this mask after resolving the security issue.
net-misc/openswan

# Mike Gilbert flop...@gentoo.org (10 Jun 2014)
# Tom Wijsman tom...@gentoo.org (8 Jun 2014)
# Mask VLC ebuilds that are affected with security bug CVE-2013-6934:
#
# A vulnerability has been discovered in VLC Media Player, which can be
# exploited by malicious people to compromise a user's system.
#
# Some ebuilds also have other buffer and integer overflow security bugs like
# CVE-2013-1954, CVE-2013-3245, CVE-2013-4388 and CVE-2013-6283.
#
# Users should consider to upgrade VLC Media Player to at least version 2.1.2.
media-video/vlc-2.1.2

# Tom Wijsman tom...@gentoo.org (6 Jun 2014)
# Tom Wijsman tom...@gentoo.org (6 Jun 2014)
# Mask gentoo-sources ebuilds that are affected with security bug CVE-2014-3153.
#
# Pinkie Pie discovered an issue in the futex subsystem that allows a
# local user to gain ring 0 control via the futex syscall. An
# unprivileged user could use this flaw to crash the kernel (resulting
# in denial of service) or for privilege escalation.
#
# https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
=sys-kernel/gentoo-sources-3.2.58-r2
~sys-kernel/gentoo-sources-3.4.90
=sys-kernel/gentoo-sources-3.4.91
~sys-kernel/gentoo-sources-3.10.40
=sys-kernel/gentoo-sources-3.10.41
~sys-kernel/gentoo-sources-3.12.20
=sys-kernel/gentoo-sources-3.12.21
~sys-kernel/gentoo-sources-3.14.4
=sys-kernel/gentoo-sources-3.14.5

# Tom Wijsman tom...@gentoo.org (30 May 2014)
# CVE-2012-1721 - Remote Code Execution Vulnerability
#
# Vulnerable: IBM Java SE 5.0 SR12-FP5
# URL:http://www.securityfocus.com/bid/53959/
dev-java/ibm-jdk-bin:1.5

# Alexander Vershilov qni...@gentoo.org (02 Apr 2014)
# Multiple vulnerabilities, see #504724, #505860
sys-kernel/openvz-sources-2.6.32.85.17

# Chí-Thanh Christopher Nguyễn chith...@gentoo.org (26 Mar 2014)
# Affected by multiple vulnerabilities, #445916, #471098 and #472280
media-libs/mesa-9.1.4

# Sergey Popov pinkb...@gentoo.org (20 Mar 2014)
# Security mask of vulnerable versions, wrt bug #424167
net-nds/openldap-2.4.35

# Michael Weber x...@gentoo.org (9 Jul 2013)
# Masked for security bug 450746, CVE-2012-6095
net-ftp/proftpd-1.3.4c

# Samuli Suominen ssuomi...@gentoo.org (30 Oct 2011)
# Masked for security bug #294253, use only at your own risk!
=media-libs/fmod-3*
games-puzzle/candycrisis
games-simulation/stoned-bin
games-sports/racer-bin
games-strategy/dark-oberon
games-strategy/savage-bin

# Chris Gianelloni wolf3...@gentoo.org (03 Mar 2008)
# Masking due to security bug #194607 and security bug #204067
games-fps/doom3
games-fps/doom3-cdoom
games-fps/doom3-chextrek
games-fps/doom3-data
games-fps/doom3-demo
games-fps/doom3-ducttape
games-fps/doom3-eventhorizon
games-fps/doom3-hellcampaign
games-fps/doom3-inhell