Brian Harring wrote: > > Commented in #-security about it, but any reason that arches don't yank > their keywords from insecure ebuilds after they've stabled a > replacement? >
Brian, I asked about this VERY same thing a long while back and at best I received "Because person X said no." So you ask X and they say the person that sent you to them said no. The only argument against it was that it'd break the depend tree if package Y depends on version <=0.99 of package X and versions > 1.0 of X are vulnerability free. My opinion is "snap, crackle, and pop"... let the tree break. But better yet... figure out what depends on package X <=1.0 and p.mask it. -- Doug Goldstein <[EMAIL PROTECTED]> http://dev.gentoo.org/~cardoe/
signature.asc
Description: OpenPGP digital signature
