On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs <willi...@gentoo.org> wrote: > > I am particularly concerned about packages with known security > vulnerabilities staying in the main tree masked. If people want to keep > using those packages, I don't want to stop them, but packages like this > should not be in the main tree. >
Is this policy documented anywhere? If not, I'd be interested in what the general sense of the community is here, and this might be an appropriate topic for the next Council meeting. I guess my question is what harm does it cause to have masked packages in the main tree, where they at least benefit from other forms of QA (eclass fixes, etc)? The mask messages clearly point out the security issues, so anybody who unmasks them is making an informed decision. If they just move to some overlay most likely they won't have any warnings and people will just figure that they're one of 10k other packages that someone doesn't want to bother getting into the tree. I'll go ahead and reply to the council agenda thread with this, and I'd be interested in what the general sense of the rest of the community is here. -- Rich