Dne So 1. prosince 2012 06:42:13, Rich Freeman napsal(a): > On Fri, Nov 30, 2012 at 4:13 PM, Tomáš Chvátal <tomas.chva...@gmail.com> wrote: > > Dne Pá 30. listopadu 2012 20:37:22, Pacho Ramos napsal(a): > >> media-sound/logitechmediaserver-bin -> this package is "special", it's > >> maintained by a proxy maintainer but it was reassigned to > >> maintainer-needed instead of proxy-maint herd. Was reviewing to reassign > >> it when I saw: > >> https://bugs.gentoo.org/show_bug.cgi?id=251494 > >> > >> that I have no idea about how to handle :| > > > > Simple, > > add hardmaks explaining possible secuirty issues due to bundling > > earth&heaven, and then let the proxymaintainer play with it if he wants. > > > > The mask will be lifted only under condition these issues are fixed. > > People can unmask quite easily if they want, we don't need everything in > > stable :-) > > I can't say that I agree with this needing to be masked. If it HAS a > known security issue, then mask it. If the only issue is that it > bundles too many libs, well, then just stick an ewarn in there or > something but make it the user's call.
Bundling few libs and bundling 40 of them is bit of difference, will YOU do the audit? Also other teams actively work on the unbundling, while there is track of no will to actually make it buildable with system libs. Also the security is not the only problem here, it can also cause runtime issues. Like bundled lib does not work with xyz because it does not apply patch X that we have in main tree. > > Should we mask chrome while we're at it (and yes, I'm aware that the > chromium team is doing their best to remove these, but there are MANY > left)? How about mythtv - that bundles ffmpeg? Mythtv and its bundling is really horrible and actually not needed at all by upstream.. This is the reason why it for example is not included in debian at all (external repos of course have it). > > Yes, it is lousy practice, but our options are to change the world, > practically fork upstream, or refuse to include useful packages. It > is admirable when we can remove bundled libs, but this should not be > mandatory for having a package in the tree. Actual security issues > should be fixed, of course, or masked. > > Sure, it ain't perfect or pretty, but it works. And when dealing with > outsiders, whether they are proxy maintainers or our founder, can we > at least try to be polite? Yes we should be polite and nice, and I think explaining the guy why it will be masked is enough. He can still work on it in main tree where it will for sure get way larger audience than if it would be sitting in some overlay, and users would have to read the mask before using it so they will have to use their brains at least a bit. Still keep in mind most distros won't allow inclusion of such software into main repositories at all, so we allow something fishy others avoid a lot.
