John Helmert III wrote: > So much yapping on the mailing lists, and no response in the bug which > triggered the last rites...
Apologies if I responed in the wrong forum. I thought on list would be good, why are those mails on the list if not? > So, Peter, do you use Boa? Not right now, but I have before and I might again. > If you do, what niche does it fill that isn't filled by anything else? That's a strange question. Why should I agree with or even reconfigure because of something that is in fact an error? I ask you to revert the lastrite not because it would break a use case of mine but because the CVEs do not apply to boa itself but to some unknown appliance that uses boa to serve unknown buggy CGI scripts. > There are multiple CVEs for it, is it really on us to discriminate > between which CVEs are valid and which are not? Yes. You are obviously /not/ responsible for what bogus CVEs people may report, but we're all responsible for the commits we create. I assume that everyone wants to improve the overall state with each commit - that we want to make things more correct since that's what enables reliability, hence yes: it really is on every one of us to verify our inputs before taking action on them. > We can't possibly hope to do that accurately in all cases. Some times it will be easy, other times less easy. In this case the CVEs could be dismissed by searching the source code for the file names in the CVEs. Or by having experience with what the package provides, in particular that it doesn't include any CGI scripts. Maybe the accurate bigger picture is that no (current) Gentoo developer knows enough about the package and thus can't be expected to action such bogus CVEs correctly without a couple of minutes of investigation, which would be too long, then I guess maintainer-needed is the most honest? The mere existance of CVEs can not be reason enough for any change, that would mean resignation to fear instead of encouraging rational behavior as required to actually improve technology. It would also create incentive for permanent denial-of-service attacks by way of bogus CVEs manipulating people into incorrect lastrites and other changes. I don't want that to become common. My question about the lastriting process was not an attack but a genuine inquiry. The answer I receive so far is something like "it can't work better because we react indiscriminately to CVEs", that's an honest answer (thank you!) but not great quality. Does everyone mostly agree with that policy? Thanks //Peter
