On Mon, Jul 4, 2016 at 11:26 PM, Aaron Bauman <b...@gentoo.org> wrote: > > The subject of this particular mailing list post is a little alarming and > over reactive. We are not running around p.masking everyone's packages, but > issues that have been outstanding for years often result in such courses of > action. I personally told Anthony I should have requested his assistance > initially on the matter, and I do apologize for that. He is an active > developer who would respond in a timely manner. So once again, I do > apologize.
Thanks, and my intent wasn't to suggest that I thought there was any kind of a trend here. I just wanted to agree that this shouldn't be how it happens. It sounds like we're already on the same page, which isn't surprising since this was the first complaint I've heard in a while. > Finally, that does not dissolve the developer of providing usable, > substantiated, and verifiable information regarding the vulnerabilities. > The idea that a developer gets to choose whether or not they do so should > not be considered. Also agree. I think we need to have a reasonable security policy, but clearly there can't be unresolved questions about whether a particular package-version is vulnerable or not. If we don't get a question like that resolved in a timely manner then the version should be masked. Users can then make an informed decision as to whether they want to take the risk in unmasking it. Our security policies are a tree-wide QA commitment that our users rely on. We shouldn't advertise a security policy that we aren't willing to enforce. -- Rich
