On Tue, 2006-05-23 at 14:06 -0700, Brian Harring wrote: > On Tue, May 23, 2006 at 04:51:06PM -0400, Chris Gianelloni wrote: > > On Tue, 2006-05-23 at 16:22 -0400, Ned Ludd wrote: > > > And now per arch breakdowns. > > > http://gentooexperimental.org/~ferringb/reports/arch-vulnerabilities/ > > > > No offense, but that isn't exactly useful in its current form. For > > example, x86 shows *all* of the packages, even ones where it has a > > non-vulnerable version stable. > > I guess a breakdown of which > > architectures still do not have a version *higher* than the ones listed > > by the GLSA stable would be necessary instead. > > You're ignoring the fact that ebuilds can and do specify version > ranges that result in portage using something other then the highest- > the report is a listing of "these pkgs are vulnerable according to > glsas", the arch-vulns is just a view of that with stable/unstable for > that arch collapsed into one. > > In other words... having a version stable that isn't affected by the > glsa, good and grand, but the ebuilds sitting in the tree are *still* > vulnerable. > > Splitting off a stable vs unstable is doable, but the intention of > that report is to spell out which packages in the tree are vulnerable, > thus in need of getting the boot.
I completely understand this. However, in most cases the reason the older packages are still in the tree is because *somebody* doesn't have it stable yet. If we knew which arch(es) didn't have a non-vulnerable version stable, then we could either remove the version, as it is no longer needed, or determine who needs to catch up on keywording. As it stands now, there's a huge number of packages listed for x86, where x86 can't necessarily do anything because someone else might not have a newer version stable. -- Chris Gianelloni Release Engineering - Strategic Lead x86 Architecture Team Games - Developer Gentoo Linux
signature.asc
Description: This is a digitally signed message part
