On Wed, 06 Jul 2016 20:23:46 +0900 Aaron Bauman wrote: > What kind of policing would you like to see councilman? Would you like to > see me removed from the project, because your precious package was > p.masked? You have ignored every thing I have said regarding your > inability to work with the security team. Even after an apology from me > and a request to work with us you continue on with the rhetoric of powers. > It displays a lot about your inability to work with others. > > No other developer is complaining... it is *literally* only you.
It is really not just him. I do not agree with media-video/motion pmask with 30-days removal term. But I had not pushed this issue hard, since I'm not a maintainer of this package. If this package would have been masked without removal term, I can at least accept if not agree with such action. But there is no other alternative for this package and security bugs are not critical (at least they do not affect many use cases at all). So removal from the tree will harm our users sufficiently. When approach is "mask until issues are resolved, so that users are informed about security hazard" — it sounds reasonable, and we already have several packages in the tree this way. But when approach is to purge package from the tree in 30 days regardless of severity of security flaws and ignoring the fact that there is nothing to replace this package with — this is not a kind of the policy I'd like to see in Gentoo. Please understand me correctly: I'm not blaming you or security team for this or that issue. But it looks like security team indeed needs to review some policies and approaches to suit needs of Gentoo users better in both of terms of security and usability, to find some reasonable compromise between them, which will satisfy most users. For these very issues it looks like canceling "removal in 30 days" clause from p.mask action will do the job. Best regards, Andrew Savchenko
pgprpxhxydZL9.pgp
Description: PGP signature