Ciaran McCreesh napsal(a): > | > * Don't remove packages that will end up breaking the tree or > | > forcing downgrades; conversely, when vulnerable packages *can* be > | > removed safely, do so. > | > | And is/should be done right now :-) > > No, what's done right now is that Jakub files whiny bugs demanding > immediate action from arch teams but assigning the bugs to package > maintainers, resulting in dropped keywords because the maintainers > assume that they can rely upon Jakub's bug descriptions being correct. > Several recent incidents like this are what prompted the initial email.
Hey, kindly leave me alone... - I'm *not* demanding anything from *arch teams*, the bugs are for *maintainers* of those packages. I've already told you couple of times, why are you making these misleading statements yet again? - Not my problem that maintainers didn't check keywords on removal (even on bugs where mips is CCed). Developers are supposed to use *brain* when punting vulnerable versions (like with any other commit). - Also not my problem that $arch is still affected by such bugs months or even years after respective GLSAs have been issued (which has caused the ebuilds to still stay in the tree and hence made me file the bugs). Before I've started filing these bugs, we had vulnerable crap back from ~2004 lingering in the tree. - Leaving vulnerable junk in the tree for an indefinite period of time sucks and is causing needless work for maintainers. We lack any policy on this, but if some arch can't act for over a year, they deserve to get the keywords dropped and get their deptree broken, sorry. Not maintainers' fault that noone has cared enough. -- Best regards, Jakub Moc mailto:[EMAIL PROTECTED] GPG signature: http://subkeys.pgp.net:11371/pks/lookup?op=get&search=0xCEBA3D9E Primary key fingerprint: D2D7 933C 9BA1 C95B 2C95 B30F 8717 D5FD CEBA 3D9E ... still no signature ;)
signature.asc
Description: OpenPGP digital signature
