Re: [gentoo-dev] qa last rites -- long list

[Patrick Lauer]

On 01/07/15 06:24, William Hubbs wrote:
> All,
> 
> Many packages have been masked in the tree for months - years with no
> signs of fixes.
> 
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should be in an overlay, not the main tree.
> 

> # Sergey Popov  (20 Mar 2014)
> # Security mask of vulnerable versions, wrt bug #424167
> 

Re: [gentoo-dev] qa last rites -- long list

[Philip Webb]

150106 William Hubbs wrote:
> Many packages have been masked in the tree for months - years
> with no signs of fixes.  I am particularly concerned
> about packages with known security vulnerabilities
> staying in the main tree masked.  If people want to keep those packages,
> I don't want to stop them, but packages like this should be in an overlay,
> not the main tree.

-- snip --

> # Tavis Ormandy  (21 Mar 2006)
> # masked pending unresolved security issues #125902
> games-roguelike/nethack

-- snip --

This one is perfectly safe on a single-user system : please leave it there.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites multiple packages

[Rich Freeman]

On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs  wrote:
>
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should not be in the main tree.
>

Is this policy documented anywhere?  If not, I'd be interested in what
the general sense of the community is here, and this might be an
appropriate topic for the next Council meeting.

I guess my question is what harm does it cause to have masked packages
in the main tree, where they at least benefit from other forms of QA
(eclass fixes, etc)?  The mask messages clearly point out the security
issues, so anybody who unmasks them is making an informed decision.
If they just move to some overlay most likely they won't have any
warnings and people will just figure that they're one of 10k other
packages that someone doesn't want to bother getting into the tree.

I'll go ahead and reply to the council agenda thread with this, and
I'd be interested in what the general sense of the rest of the
community is here.

-- 
Rich

Re: [gentoo-dev] qa last rites multiple packages

[Alan McKinnon]

On 07/01/2015 14:56, Rich Freeman wrote:
> On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs  wrote:
>>
>> I am particularly concerned about packages with known security
>> vulnerabilities staying in the main tree masked. If people want to keep
>> using those packages, I don't want to stop them, but packages like this
>> should not be in the main tree.
>>
> 
> Is this policy documented anywhere?  If not, I'd be interested in what
> the general sense of the community is here, and this might be an
> appropriate topic for the next Council meeting.
> 
> I guess my question is what harm does it cause to have masked packages
> in the main tree, where they at least benefit from other forms of QA
> (eclass fixes, etc)?  The mask messages clearly point out the security
> issues, so anybody who unmasks them is making an informed decision.
> If they just move to some overlay most likely they won't have any
> warnings and people will just figure that they're one of 10k other
> packages that someone doesn't want to bother getting into the tree.
> 
> I'll go ahead and reply to the council agenda thread with this, and
> I'd be interested in what the general sense of the rest of the
> community is here.


I always thought the (informal, ad-hoc) policy for buildable, working
packages with security bugs was to p.mask them and let the user decide.
For all the reasons you cite.

And that packages are only removed from the tree when they don't build,
don't work, upstream is gone and took their sources with them, etc, etc.


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-dev] qa last rites multiple packages

[Brian Evans]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 1/6/2015 6:47 PM, William Hubbs wrote:
> All,
> 
> these packages have been masked in the tree for months - years with
> no signs of fixes.
> 
> I am particularly concerned about packages with known security 
> vulnerabilities staying in the main tree masked. If people want to
> keep using those packages, I don't want to stop them, but packages
> like this should not be in the main tree.

> # Sergey Popov  (04 Sep 2014) # Security mask,
> wrt bugs #488212, #498164, #500260, # #507802 and #518718 
>  

The mysql team keeps old upgrades around for several months on purpose
to give admins time to migrate between major/minor releases.

Thanks for the reminder to cleanup.  It is time to do so.

Brian Evans
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUrTaLAAoJEE4V4vFnx44dEQ0H/1gNWrI6DUPRKwrxnlwCjlrW
gVOS6p2LGVCxOx+qm98bvTYpt3HD3N4HB8IXnJRiPrOpQ/AW8VpyF+gQCN7jVsVP
vW1C/peuusERVvGfbIW8j86xl3ZQc3R8RDBlxRR11nxXRhrM5Bb8gpNWpHq5ni3R
zb6nT1+jYZ7Ix/UNWB2tnVW/H5Q/bBujVyjYrc94XKuEuHZORmS7/q+gD4oFF8+Q
B/TtK7ouJ+G8CX3WjM8pXRrg7mPukTQFgOEqZsZ8tqVyqGaE/KmR+jrFlVbrLMuD
xZvIkpvFUYwf/mdToUd1QNBblRdFs0wvGK06vkUDKJDJjz/mWhyWlVzJQQFjr2s=
=95aa
-END PGP SIGNATURE-

[gentoo-dev] About qmail herd being a candidate to be dissolved

[Pacho Ramos]

Hello

Looks like this herd has some unattended bugs for years 
(for example applying to qmail-scanner and some others). I was wondering
if maybe the herd should be dissolved and people should take the
packages they are really taking care of :/

I would do that in a week if nobody wants to join the herd and maintain all
the stuff (or drop the package the new people in that herd don't want
to maintain)

Thanks

Re: [gentoo-dev] Packages up for grabs

[Pacho Ramos]

El lun, 01-12-2014 a las 12:00 +0100, Pacho Ramos escribió:
> El vie, 14-11-2014 a las 04:02 +0100, Tom Wijsman escribió:
> > On Tue, 11 Nov 2014 16:59:46 +0200
> > Pavlos Ratis  wrote:
> > 
> > > I will also drop myself from the net-proxy herd.
> > 
> > Drawing extra attention to this sentence; it looks like the herd is
> > (once again) going to be empty, as the result of a lack of interest.
> > 
> > If someone does have a real interest in this herd; please step up now,
> > otherwise this herd is probably going to face a removal in the future.
> > 
> 
> I will probably remove it in a week or so as looks like nobody added to
> it :/
> 
> 

Done, this packages are now up for grabs:
net-analyzer/squidview
net-libs/libecap
net-proxy/3proxy
net-proxy/adzapper
net-proxy/bfilter
net-proxy/c-icap-modules
net-proxy/dansguardian
net-proxy/dante
net-proxy/dnsproxy
net-proxy/havp
net-proxy/http-replicator
net-proxy/httpush
net-proxy/ntlmaps
net-proxy/nylon
net-proxy/oops
net-proxy/pingtunnel
net-proxy/polipo
net-proxy/privoxy
net-proxy/ratproxy
net-proxy/squidguard
net-proxy/squirm
net-proxy/sshproxy 
net-proxy/tinyproxy
net-proxy/tsocks
net-proxy/webscarab

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Wed, Jan 07, 2015 at 03:10:13PM +0200, Alan McKinnon wrote:
> On 07/01/2015 14:56, Rich Freeman wrote:
> > On Tue, Jan 6, 2015 at 6:47 PM, William Hubbs  wrote:
> >>
> >> I am particularly concerned about packages with known security
> >> vulnerabilities staying in the main tree masked. If people want to keep
> >> using those packages, I don't want to stop them, but packages like this
> >> should not be in the main tree.
> >>
> > 
> > Is this policy documented anywhere?  If not, I'd be interested in what
> > the general sense of the community is here, and this might be an
> > appropriate topic for the next Council meeting.
> > 
> > I guess my question is what harm does it cause to have masked packages
> > in the main tree, where they at least benefit from other forms of QA
> > (eclass fixes, etc)?  The mask messages clearly point out the security
> > issues, so anybody who unmasks them is making an informed decision.
> > If they just move to some overlay most likely they won't have any
> > warnings and people will just figure that they're one of 10k other
> > packages that someone doesn't want to bother getting into the tree.
> > 
> > I'll go ahead and reply to the council agenda thread with this, and
> > I'd be interested in what the general sense of the rest of the
> > community is here.
> 
> 
> I always thought the (informal, ad-hoc) policy for buildable, working
> packages with security bugs was to p.mask them and let the user decide.
> For all the reasons you cite.
> 
> And that packages are only removed from the tree when they don't build,
> don't work, upstream is gone and took their sources with them, etc, etc.

My understanding of p.mask is it is never permanent. Things go in
there until they get fixed or eventually removed.

p.masked packages do not directly benefit from any forms of qa (eclass
fixes, etc).

I don't think, for example, we test eclass changes to see if they
break masked packages.

Also, as far as I know, we don't use p.masked packages as a
way to keep eclasses in the tree do we -- for example, (I haven't looked
at the code), but I'm guessing that a number of these packages use
games.eclass which is on the way out. If we say we can't get rid of
these packages, we may not be able to get rid of games.eclass.

It is unlikely as well that masked packages are actively maintained at
all, especially those that have been setting in the tree masked for
multiple years. You are basically asking that we keep bitrotting broken
packages in the tree.

William



signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites -- long list

[William Hubbs]

On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
> 150106 William Hubbs wrote:
> > Many packages have been masked in the tree for months - years
> > with no signs of fixes.  I am particularly concerned
> > about packages with known security vulnerabilities
> > staying in the main tree masked.  If people want to keep those packages,
> > I don't want to stop them, but packages like this should be in an overlay,
> > not the main tree.
> 
> -- snip --
> 
> > # Tavis Ormandy  (21 Mar 2006)
> > # masked pending unresolved security issues #125902
> > games-roguelike/nethack
> 
> -- snip --
> 
> This one is perfectly safe on a single-user system : please leave it there.

I'm not opposed to it staying in the tree under one of these conditions:

1) fix it and remove the mask

or

2) remove the mask and add ewarns to the ebuild

William



signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> All,
> 
> these packages have been masked in the tree for months - years with no
> signs of fixes.
> 
> I am particularly concerned about packages with known security
> vulnerabilities staying in the main tree masked. If people want to keep
> using those packages, I don't want to stop them, but packages like this
> should not be in the main tree.
> 
> # Mask gentoo-sources ebuilds that are affected with security bug 
> CVE-2014-3153.
> #
> # Pinkie Pie discovered an issue in the futex subsystem that allows a
> # local user to gain ring 0 control via the futex syscall. An
> # unprivileged user could use this flaw to crash the kernel (resulting
> # in denial of service) or for privilege escalation.
> #
> # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> =sys-kernel/gentoo-sources-3.2.58-r2
> ~sys-kernel/gentoo-sources-3.4.90
> =sys-kernel/gentoo-sources-3.4.91
> ~sys-kernel/gentoo-sources-3.10.40
> =sys-kernel/gentoo-sources-3.10.41
> ~sys-kernel/gentoo-sources-3.12.20
> =sys-kernel/gentoo-sources-3.12.21
> ~sys-kernel/gentoo-sources-3.14.4
> =sys-kernel/gentoo-sources-3.14.5

Hello,

What's the feeling for how long a package.mask entry should stay in the
file in the event that a package can cause physical damage to a user's 
system.

For certain types of hardware, kernel 3.17.0 could cause some
filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
it appropiate to say that a user has had enough time to upgarde their
systems and we can remove this entry?

Mike


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail : mpag...@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Re: [gentoo-dev] qa last rites -- long list

[Philip Webb]

150107 William Hubbs wrote:
> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>> 150106 William Hubbs wrote:
>>> Many packages have been masked in the tree for months - years
>>> with no signs of fixes.  I am particularly concerned
>>> about packages with known security vulnerabilities
>>> staying in the main tree masked.  If people want to keep those packages,
>>> I don't want to stop them, but packages like this should be in an overlay,
>>> not the main tree.
>> -- snip --
>> > # Tavis Ormandy  (21 Mar 2006)
>> > # masked pending unresolved security issues #125902
>> > games-roguelike/nethack
>> -- snip --
>> This one is perfectly safe on a single-user system : please leave it there.
> I'm not opposed to it staying in the tree under one of these conditions:
> 1) fix it and remove the mask or

I'm a user, not a dev or a programmer.

> 2) remove the mask and add ewarns to the ebuild

That looks more reasonable & something a dev could easily do.

-- 
,,
SUPPORT ___//___,   Philip Webb
ELECTRIC   /] [] [] [] [] []|   Cities Centre, University of Toronto
TRANSIT`-O--O---'   purslowatchassdotutorontodotca

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > All,
> > 
> > these packages have been masked in the tree for months - years with no
> > signs of fixes.
> > 
> > I am particularly concerned about packages with known security
> > vulnerabilities staying in the main tree masked. If people want to keep
> > using those packages, I don't want to stop them, but packages like this
> > should not be in the main tree.
> > 
> > # Mask gentoo-sources ebuilds that are affected with security bug 
> > CVE-2014-3153.
> > #
> > # Pinkie Pie discovered an issue in the futex subsystem that allows a
> > # local user to gain ring 0 control via the futex syscall. An
> > # unprivileged user could use this flaw to crash the kernel (resulting
> > # in denial of service) or for privilege escalation.
> > #
> > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> > =sys-kernel/gentoo-sources-3.2.58-r2
> > ~sys-kernel/gentoo-sources-3.4.90
> > =sys-kernel/gentoo-sources-3.4.91
> > ~sys-kernel/gentoo-sources-3.10.40
> > =sys-kernel/gentoo-sources-3.10.41
> > ~sys-kernel/gentoo-sources-3.12.20
> > =sys-kernel/gentoo-sources-3.12.21
> > ~sys-kernel/gentoo-sources-3.14.4
> > =sys-kernel/gentoo-sources-3.14.5

Mike,

since you responded here, what do you think about this p.mask entry?
Should we keep these in the tree?

> 
> Hello,
> 
> What's the feeling for how long a package.mask entry should stay in the
> file in the event that a package can cause physical damage to a user's 
> system.
> 
> For certain types of hardware, kernel 3.17.0 could cause some
> filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
> it appropiate to say that a user has had enough time to upgarde their
> systems and we can remove this entry?

(qa hat off here, just a question)

I'm a bit confused here.
If you have a specific p.mask entry for 3.17.0 and 3.17.0 is out of the
tree, isn't that p.mask entry invalid now? If so, go ahead and remove
or adjust the entry.

William



signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites multiple packages

[Mike Gilbert]

On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs  wrote:
> On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
>> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
>> > All,
>> >
>> > these packages have been masked in the tree for months - years with no
>> > signs of fixes.
>> >
>> > I am particularly concerned about packages with known security
>> > vulnerabilities staying in the main tree masked. If people want to keep
>> > using those packages, I don't want to stop them, but packages like this
>> > should not be in the main tree.
>> >
>> > # Mask gentoo-sources ebuilds that are affected with security bug 
>> > CVE-2014-3153.
>> > #
>> > # Pinkie Pie discovered an issue in the futex subsystem that allows a
>> > # local user to gain ring 0 control via the futex syscall. An
>> > # unprivileged user could use this flaw to crash the kernel (resulting
>> > # in denial of service) or for privilege escalation.
>> > #
>> > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
>> > =sys-kernel/gentoo-sources-3.2.58-r2
>> > ~sys-kernel/gentoo-sources-3.4.90
>> > =sys-kernel/gentoo-sources-3.4.91
>> > ~sys-kernel/gentoo-sources-3.10.40
>> > =sys-kernel/gentoo-sources-3.10.41
>> > ~sys-kernel/gentoo-sources-3.12.20
>> > =sys-kernel/gentoo-sources-3.12.21
>> > ~sys-kernel/gentoo-sources-3.14.4
>> > =sys-kernel/gentoo-sources-3.14.5
>
> Mike,
>
> since you responded here, what do you think about this p.mask entry?
> Should we keep these in the tree?
>
>>
>> Hello,
>>
>> What's the feeling for how long a package.mask entry should stay in the
>> file in the event that a package can cause physical damage to a user's
>> system.
>>
>> For certain types of hardware, kernel 3.17.0 could cause some
>> filesystem corruption. Of couse, 3.17.0 is out of the tree but when is
>> it appropiate to say that a user has had enough time to upgarde their
>> systems and we can remove this entry?
>
> (qa hat off here, just a question)
>
> I'm a bit confused here.
> If you have a specific p.mask entry for 3.17.0 and 3.17.0 is out of the
> tree, isn't that p.mask entry invalid now? If so, go ahead and remove
> or adjust the entry.
>

If users currently have 3.17.0 installed, portage will output a
warning message about a masked package being installed, even if the
ebuild no longer exists in the tree.

If you remove the mask, users will no longer be warned that they are
using a flawed copy of the kernel sources.

Thus, Mike's question about timing.

Re: [gentoo-dev] qa last rites -- long list

[Matt Turner]

On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs  wrote:
> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>> 150106 William Hubbs wrote:
>> This one is perfectly safe on a single-user system : please leave it there.
>
> I'm not opposed to it staying in the tree under one of these conditions:
>
> 1) fix it and remove the mask
>
> or
>
> 2) remove the mask and add ewarns to the ebuild

Remove the mask that people have to see and actively disable in order
to install the software and replace it with ewarn messages that they
likely won't read?

I don't see the problem with versions with security vulnerabilities
masked in the tree. nethack in particular has been masked in the tree
since 2006, so we have some precedence.

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
> On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs  wrote:
> > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> >> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> >> > All,
> >> >
> 
> If you remove the mask, users will no longer be warned that they are
> using a flawed copy of the kernel sources.
> 
> Thus, Mike's question about timing.
> 

Exactly.

-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail : mpag...@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
> On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
> > On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs  wrote:
> > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > >> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > >> > All,
> > >> >
> > 
> > If you remove the mask, users will no longer be warned that they are
> > using a flawed copy of the kernel sources.
> > 
> > Thus, Mike's question about timing.
> > 
> 
> Exactly.

This should be a different thread then since  this wasn't in the list I
originally posted.

However,

this is considered an invalid package.mask entry since the package that
was being masked is no longer in the tree [1].

This is just something that QA or anyone can clean up as far as I know.
We don't worry about masking packages that no longer exist in the tree.

William

[1] http://qa-reports.gentoo.org/output/invalid-mask.txt


signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites multiple packages

[Mike Gilbert]

On Wed, Jan 7, 2015 at 1:11 PM, William Hubbs  wrote:
> On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
>> On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
>> > On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs  wrote:
>> > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
>> > >> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
>> > >> > All,
>> > >> >
>> >
>> > If you remove the mask, users will no longer be warned that they are
>> > using a flawed copy of the kernel sources.
>> >
>> > Thus, Mike's question about timing.
>> >
>>
>> Exactly.
>
> This should be a different thread then since  this wasn't in the list I
> originally posted.
>
> However,
>
> this is considered an invalid package.mask entry since the package that
> was being masked is no longer in the tree [1].

Regardless of what repoman says, the mask entry is still useful.

The repoman warning serves as a nice reminder, but please don't treat
it as policy.

Re: [gentoo-dev] qa last rites multiple packages

[Mike Gilbert]

On Wed, Jan 7, 2015 at 10:52 AM, William Hubbs  wrote:
> My understanding of p.mask is it is never permanent. Things go in
> there until they get fixed or eventually removed.

I disagree with this. In my opinion, it is fine to have permanently
masked packages in some cases. I don't really care what the existing
documentation says on this; documentation can be updated.

> p.masked packages do not directly benefit from any forms of qa (eclass
> fixes, etc).
>
> I don't think, for example, we test eclass changes to see if they
> break masked packages.
>
> Also, as far as I know, we don't use p.masked packages as a
> way to keep eclasses in the tree do we -- for example, (I haven't looked
> at the code), but I'm guessing that a number of these packages use
> games.eclass which is on the way out. If we say we can't get rid of
> these packages, we may not be able to get rid of games.eclass.

Agreed. If the ebuild has no hope of working at all, there is no point
in keeping it in the tree. It should not hold up removal of obsolete
eclasses.

> It is unlikely as well that masked packages are actively maintained at
> all, especially those that have been setting in the tree masked for
> multiple years. You are basically asking that we keep bitrotting broken
> packages in the tree.

If the package is unmaintained and broken, then it should be removed.
However, there are cases where the package is usable and has been
masked for some other reason, security being the obvious example.

[gentoo-dev] Last Rites: dev-db/pgtune

[Aaron W. Swenson]

pgtune is masked for removal 2015-03-08. It's dead upstream, has a
critical bug 530868, and doesn't use a real distribution model. Adopt
the package upstream to save it.

An online alternative lives at:
http://pgtune.leopard.in.ua/

-- 
Mr. Aaron W. Swenson
Gentoo Linux Developer
Herds/Projects: Perl, PostgreSQL, Proxy Maintainers
GitHub/BitBucket: titanofold | PAUSE: AWSWENSON | Twitter: @AaronWSwenson
GnuPG FP : 2C00 7719 4F85 FB07 A49C 0E31 5713 AA03 D1BB FDA0
GnuPG ID : D1BBFDA0


signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > All,
> > > #
> > > # Pinkie Pie discovered an issue in the futex subsystem that allows a
> > > # local user to gain ring 0 control via the futex syscall. An
> > > # unprivileged user could use this flaw to crash the kernel (resulting
> > > # in denial of service) or for privilege escalation.
> > > #
> > > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> > > =sys-kernel/gentoo-sources-3.2.58-r2
> > > ~sys-kernel/gentoo-sources-3.4.90
> > > =sys-kernel/gentoo-sources-3.4.91
> > > ~sys-kernel/gentoo-sources-3.10.40
> > > =sys-kernel/gentoo-sources-3.10.41
> > > ~sys-kernel/gentoo-sources-3.12.20
> > > =sys-kernel/gentoo-sources-3.12.21
> > > ~sys-kernel/gentoo-sources-3.14.4
> > > =sys-kernel/gentoo-sources-3.14.5
> 
> Mike,
> 
> since you responded here, what do you think about this p.mask entry?
> Should we keep these in the tree?
 
William,

At what point do we not care about users who have not upgraded and will
miss this security message? 

Mike


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail : mpag...@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Re: [gentoo-dev] qa last rites multiple packages

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 01/07/2015 07:22 PM, Mike Gilbert wrote:
> On Wed, Jan 7, 2015 at 1:11 PM, William Hubbs 
> wrote:
>> On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
>>> On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
 On Wed, Jan 7, 2015 at 12:11 PM, William Hubbs
  wrote:
> On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano
> wrote:
>> On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs
>> wrote:
>>> All,
>>> 
 
 If you remove the mask, users will no longer be warned that
 they are using a flawed copy of the kernel sources.
 
 Thus, Mike's question about timing.
 
>>> 
>>> Exactly.
>> 
>> This should be a different thread then since  this wasn't in the
>> list I originally posted.
>> 
>> However,
>> 
>> this is considered an invalid package.mask entry since the
>> package that was being masked is no longer in the tree [1].
> 
> Regardless of what repoman says, the mask entry is still useful.
> 
> The repoman warning serves as a nice reminder, but please don't
> treat it as policy.
> 


My two cents is that this is particularly true for kernel sources. For
other applications GLSAs will take over the responsibility for the
mask to ensure an upgrade path, however as we don't currently have a
structured mechanism for kernels I support the mask personally.

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJUrX9kAAoJEPw7F94F4TagHS4QAJyJR00BMKuyO151gOqIaa2f
p3/t6Q9saxiNYHMhsuC0Fu4M8CFZ5h0685xiBkTDJKj6EBfS4Aju7TXEGqSmeEAD
D7xz/I9dcaF8xehmLUHXN43FREdp8E4c0lcO3zXP80Ma53GzgyE+i3kuROVv2j4B
awuNj1dalbZIdM+AuJ9AzyJU5v7rvt/kR+4xCqiutK0yMk5xkaiFC7STA5Cdts5R
86M1iZFXnRqQtmLskAGrQN3gqzUWmoFPwZsQGpSJW7TSR5t3R7J0EryPgs2eMbHA
/i8OT0MeqxpXTsg4ri9AhcjRCBxXvX3t2UuToQYjXJikCHhv3/t8oB0ixbqzswta
HOdMi569Z1fJ3JDO/briKD6gRm6BkpO13Uy9L1Ht8qJ9w2Oura7y0sBcUn4lCTv2
rBVPsa7bWm2M2JX9AOTMtpUrE/qCgiMD+Szf4Lf9NrOjudVnUecSFkZ+HAEK1LAT
CKnRI11F2JYph6at3tLY1YsprLeFTzTo/rZ0w/4DDC9n//6Sl1s/8tMiidxqNVJd
8+Zv9TvDhtoznvAQm8Vdq5sDun5nVbk7SRwatDq+85P2ASJkq8O8QPSSQ8DpLAFQ
ihk3xM7B7CSeK9x9ezuWw0LL6DjanaLQDNme+R32WLINsubn9hiK07UNUtEuvv9T
LoeAdzfGmz5piMYeZcxT
=UcGG
-END PGP SIGNATURE-

Re: [gentoo-dev] Nominate global USE-flag harfbuzz

[Mart Raudsepp]

On K, 2015-01-07 at 07:29 +0100, Peter Stuge wrote:
> $ grep :harfbuzz profiles/use*desc
> profiles/use.local.desc:dev-libs/efl:harfbuzz - Enable complex text shaping 
> and layout support.
> profiles/use.local.desc:dev-qt/qtgui:harfbuzz - Use media-libs/harfbuzz for 
> text shaping (experimental in Qt 5.3.x, default in Qt 5.4.0 and later). If 
> enabled, it can still be disabled at runtime by setting QT_HARFBUZZ 
> environment variable to "old".
> profiles/use.local.desc:media-libs/freetype:harfbuzz - Use 
> media-libs/harfbuzz for auto-hinting OpenType fonts. WARNING: may trigger 
> circular dependencies!
> profiles/use.local.desc:media-libs/libass:harfbuzz - Enables OpenType shaping 
> via media-libs/harfbuzz.
> 
> Or isn't 4 enough?

I don't know about that, but I would say at least half of them should
continue to carry on a specific description of what the USE flag does in
its metadata.xml.
I guess consider this just a friendly slightly unrelated reminder that
when making USE flags global, please don't end up losing information by
deleting the specific description. And consider adding a local
description to a packages global USE flag usage if you can describe its
effect more specifically.
And if some tooling doesn't support that, well, bad luck. My tool does
(less metadata.xml)


Mart

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > All,
> > > > #
> > > > # Pinkie Pie discovered an issue in the futex subsystem that allows a
> > > > # local user to gain ring 0 control via the futex syscall. An
> > > > # unprivileged user could use this flaw to crash the kernel (resulting
> > > > # in denial of service) or for privilege escalation.
> > > > #
> > > > # https://bugs.gentoo.org/show_bug.cgi?id=CVE-2014-3153
> > > > =sys-kernel/gentoo-sources-3.2.58-r2
> > > > ~sys-kernel/gentoo-sources-3.4.90
> > > > =sys-kernel/gentoo-sources-3.4.91
> > > > ~sys-kernel/gentoo-sources-3.10.40
> > > > =sys-kernel/gentoo-sources-3.10.41
> > > > ~sys-kernel/gentoo-sources-3.12.20
> > > > =sys-kernel/gentoo-sources-3.12.21
> > > > ~sys-kernel/gentoo-sources-3.14.4
> > > > =sys-kernel/gentoo-sources-3.14.5
> > 
> > Mike,
> > 
> > since you responded here, what do you think about this p.mask entry?
> > Should we keep these in the tree?
>  
> William,
> 
> At what point do we not care about users who have not upgraded and will
> miss this security message? 
 
 I would say that's more up to you as the maintainer, but put something
 to the affect in the mask comment.

 # This mask will be removed 

William



signature.asc
Description: Digital signature

Re: [gentoo-dev] Nominate global USE-flag harfbuzz

[Mikle Kolyada]

07.01.2015 22:00, Mart Raudsepp пишет:
> On K, 2015-01-07 at 07:29 +0100, Peter Stuge wrote:
>> $ grep :harfbuzz profiles/use*desc
>> profiles/use.local.desc:dev-libs/efl:harfbuzz - Enable complex text shaping 
>> and layout support.
>> profiles/use.local.desc:dev-qt/qtgui:harfbuzz - Use media-libs/harfbuzz for 
>> text shaping (experimental in Qt 5.3.x, default in Qt 5.4.0 and later). If 
>> enabled, it can still be disabled at runtime by setting QT_HARFBUZZ 
>> environment variable to "old".
>> profiles/use.local.desc:media-libs/freetype:harfbuzz - Use 
>> media-libs/harfbuzz for auto-hinting OpenType fonts. WARNING: may trigger 
>> circular dependencies!
>> profiles/use.local.desc:media-libs/libass:harfbuzz - Enables OpenType 
>> shaping via media-libs/harfbuzz.
>>
>> Or isn't 4 enough?
> I don't know about that, but I would say at least half of them should
> continue to carry on a specific description of what the USE flag does in
> its metadata.xml.
> I guess consider this just a friendly slightly unrelated reminder that
> when making USE flags global, please don't end up losing information by
> deleting the specific description. And consider adding a local
> description to a packages global USE flag usage if you can describe its
> effect more specifically.
> And if some tooling doesn't support that, well, bad luck. My tool does
> (less metadata.xml)
>
>
> Mart
It must be at least 5 packages, as per our policy.

Re: [gentoo-dev] qa last rites multiple packages

[Mike Pagano]

On Wed, Jan 07, 2015 at 01:08:21PM -0600, William Hubbs wrote:
> On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> > On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > > All,
> > William,
> > 
> > At what point do we not care about users who have not upgraded and will
> > miss this security message? 
>  
>  I would say that's more up to you as the maintainer, but put something
>  to the affect in the mask comment.
> 
>  # This mask will be removed 
> 
> William
> 

Fair enough. This question is to anyone that supports users and works on
bugs.  Especially the portage devs. At what point do you say to a user
that their system is so old that they really need to upgrade?

2 years, 1 year, < 1 year?  Maybe that's a good thing to state in documentation.

"For a fully supported and "reasonably secure as possible" Gentoo system, the
distribution expects users to update at least X times a year. Notice of
insecure or potentially harmful packages is not guaranteed one year after
official notification."

Mike


-- 
Mike Pagano
Gentoo Developer - Kernel Project
Gentoo Sources - Lead 
E-Mail : mpag...@gentoo.org
GnuPG FP   : EEE2 601D 0763 B60F 848C  9E14 3C33 C650 B576 E4E3
Public Key : http://pgp.mit.edu:11371/pks/lookup?search=0xB576E4E3&op=index

Kernel Security masks (was: Re: [gentoo-dev] qa last rites multiple packages)

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 01/07/2015 07:48 PM, Kristian Fiskerstrand wrote:
> On 01/07/2015 07:22 PM, Mike Gilbert wrote:
>> On Wed, Jan 7, 2015 at 1:11 PM, William Hubbs
>>  wrote:

...

> 
> 
> My two cents is that this is particularly true for kernel sources.
> For other applications GLSAs will take over the responsibility for
> the mask to ensure an upgrade path, however as we don't currently
> have a structured mechanism for kernels I support the mask
> personally.
> 

Adding on to this. If we follow up from the earlier thread on kernel
series stabilization. Could it be an idea to keep package masks for
LTS branches of the kernel at least, but as a <= rather than specific
kernel versions. As such this could be updated when new bugs are
announced without clobbering the p.masks file going forwards?

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-BEGIN PGP SIGNATURE-

iQIcBAEBCgAGBQJUrZQcAAoJEPw7F94F4TagvT0P+wWHaz+//eOTehjbSEblJsSH
KsFxeUOpqJmuid82T2i5Ec1WtZZWG+KXh+I46zWgvyYMSKPi7/YC2S21vl9hhflX
HP7NXmvS2G9/Wi7JfVpNyxX4gMZI8Oksm0ZHg5PNr9sQmLWV56eTib4U7RdtODl5
T7CwZ/Rew8gyf9tTI7T6VNM7+inyMpjaFy3v0eD4EPkRw/ZB7tPWWLrDN0yN70Lw
w8cm0SPEXuuVB80OegAsf5+qSMvOGgC9b94WGbHTsgQ5v21GMFwki6hfLHyZSyfc
+dA/9LvWF1L9Og5uNXQqOzOOU5fa95+q5ZzzLwYUA9JwF+/RpHisvBDofCNtXx7X
0xKpn79pmkEsqhymzFxjxj9zYrUl3mmGudThQ0E6zn2giTTM2jqK/ygID4VognPW
C/ucIKQlcPuVzo7KaSBY8mE2UhMjccftcvsj09XPnsxrfVSSlfMaIHC6dLyJvbr2
K34+IVOIJ5FqhzlRtx1X7kWpqe3NY4Ryr5LInxMH/lmnFMjm5+keylZM+wMzlEn1
8xGFBiycXDQ3gfeQ4n+bVLQAf5rXXgF+iG03mRwrSXae360KP+IxJJDyazcNn3SH
VlIQ67o/05ES3HgZ/kirOosWIYQG47VD8ON2OVlfjz34P2G2fRWuJetMT6bLTMEc
cw+j/yn2gLYBhxR6EAyz
=27qK
-END PGP SIGNATURE-

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Wed, Jan 07, 2015 at 02:48:01PM -0500, Mike Pagano wrote:
> On Wed, Jan 07, 2015 at 01:08:21PM -0600, William Hubbs wrote:
> > On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> > > On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > > > All,
> > > William,
> > > 
> > > At what point do we not care about users who have not upgraded and will
> > > miss this security message? 
> >  
> >  I would say that's more up to you as the maintainer, but put something
> >  to the affect in the mask comment.
> > 
> >  # This mask will be removed 
> > 
> > William
> > 
> 
> Fair enough. This question is to anyone that supports users and works on
> bugs.  Especially the portage devs. At what point do you say to a user
> that their system is so old that they really need to upgrade?
> 
> 2 years, 1 year, < 1 year?  Maybe that's a good thing to state in 
> documentation.

We already have a distro policy about this. I put ulm on this email
specifically, because he knows where the link is, and I don't right now.

Basically, at the distro level, anything over a year old is fair game to
be dropped.

William


signature.asc
Description: Digital signature

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Wed, Jan 07, 2015 at 04:33:19PM -0600, William Hubbs wrote:
> On Wed, Jan 07, 2015 at 02:48:01PM -0500, Mike Pagano wrote:
> > On Wed, Jan 07, 2015 at 01:08:21PM -0600, William Hubbs wrote:
> > > On Wed, Jan 07, 2015 at 01:29:15PM -0500, Mike Pagano wrote:
> > > > On Wed, Jan 07, 2015 at 11:11:32AM -0600, William Hubbs wrote:
> > > > > On Wed, Jan 07, 2015 at 11:21:56AM -0500, Mike Pagano wrote:
> > > > > > On Tue, Jan 06, 2015 at 05:47:10PM -0600, William Hubbs wrote:
> > > > > > > All,
> > > > William,
> > > > 
> > > > At what point do we not care about users who have not upgraded and will
> > > > miss this security message? 
> > >  
> > >  I would say that's more up to you as the maintainer, but put something
> > >  to the affect in the mask comment.
> > > 
> > >  # This mask will be removed 
> > > 
> > > William
> > > 
> > 
> > Fair enough. This question is to anyone that supports users and works on
> > bugs.  Especially the portage devs. At what point do you say to a user
> > that their system is so old that they really need to upgrade?
> > 
> > 2 years, 1 year, < 1 year?  Maybe that's a good thing to state in 
> > documentation.
> 
> We already have a distro policy about this. I put ulm on this email
> specifically, because he knows where the link is, and I don't right now.
> 
> Basically, at the distro level, anything over a year old is fair game to
> be dropped.
Ok, here it is:

the council decided that the portage tree must provide an upgrade path
to a stable system which hasn't been upgraded for one year [1].

That's pretty general. What I would say about the kernel situation is,
it should be up to the maintainers, and it can be removed sooner if
g-sources-3.17.0 was never stabled.

William

[1] http://www.gentoo.org/proj/en/council/meeting-logs/20091109-summary.txt


signature.asc
Description: Digital signature

[gentoo-dev] Re: qa last rites -- long list

[Jonathan Callen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 01/07/2015 12:15 PM, Matt Turner wrote:
> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs 
> wrote:
>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
>>> 150106 William Hubbs wrote: This one is perfectly safe on a
>>> single-user system : please leave it there.
>> 
>> I'm not opposed to it staying in the tree under one of these
>> conditions:
>> 
>> 1) fix it and remove the mask
>> 
>> or
>> 
>> 2) remove the mask and add ewarns to the ebuild
> 
> Remove the mask that people have to see and actively disable in
> order to install the software and replace it with ewarn messages
> that they likely won't read?
> 
> I don't see the problem with versions with security
> vulnerabilities masked in the tree. nethack in particular has been
> masked in the tree since 2006, so we have some precedence.
> 
> 

The only reason there is a security issue with nethack (and other
games like it) on Gentoo, and only on Gentoo, is that the games team
policy requires that all games have permissions 0750, with group
"games", and all users that should be allowed to run games be in the
"games" group.  Nethack expects that it have permissions 2755 (or
2711), with group "games" and that *no* users are members of that
group, so it can securely save files that are accessible to all users
during gameplay ("bones" files) and ensure that the user cannot
access/change their current save file.  These two expectations are
incompatible with each other, and end up creating a security issue
that upstream would never expect (as no users can be in the "games"
group traditionally).

- -- 
Jonathan Callen
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCgAGBQJUrc0kAAoJELHSF2kinlg4U48P/0832YIuICSAqjvPd2HOevs0
PISYT08qafzPevhppfe4YC4G1Z2hpoUaiLTiEozHDGfEkwoxMjIQQWEB1idco5Wo
gbYtUtX3X7BgAlBQxNMlb6jnc+xExAKqwB35SJF4374s3gw3GEWmED2eNJzgCdnM
pERhAsKXpc9GNFCY31QmscWFAu+Wk7l8HjEWjKbZ9491dHESDpzBp3HSPoxGtUMH
wsL9vVhfS/JPEbLTcoCWwyx2s/et/wuEcnEO7c0N2byfxm6e0MXPS8vs4ZiMCRsl
+nVKTkCH4uH5LTF7KQJ/Djiju4+dtydmByOJ/FrC3T+6E47X4n8m4fXWUa09jHsZ
VO6YOxJLSbitw0FVE2RubGKbDVbQE7vHRefGxgtv0ZnpkeFC/8hoOAmntFCkbkmy
WKtTPNPxCCOIMU6AE4G53HkeLJ9aOBZFl/el4OKYGTTuRX6o80f0GzRdsiFAqbqz
CbP+pSDFMeqicP0P2R2rt5VFfa61DHLWYTO93hcSfgsBJ3tTFAPE4rh/hFQtbz0Z
W4Mife7QLN6SVh5KjWlUSAv3b9CFubDMcj9cUL63RNdp5yKUef6XRJN2CEv3mhn4
PckC1yanE52NybvQxnW+xKp4G2qk5V/j0MZpBjUFqO6s1Tn6hw3kLs2VBqtO7wDJ
LQWCPkTSyRjSIsJUa4Vg
=Zqwb
-END PGP SIGNATURE-

Re: [gentoo-dev] qa last rites multiple packages

[Andrew Savchenko]

On Wed, 7 Jan 2015 12:11:04 -0600 William Hubbs wrote:
> On Wed, Jan 07, 2015 at 12:24:12PM -0500, Mike Pagano wrote:
> > On Wed, Jan 07, 2015 at 12:14:23PM -0500, Mike Gilbert wrote:
> > > If you remove the mask, users will no longer be warned that they are
> > > using a flawed copy of the kernel sources.
> > > 
> > > Thus, Mike's question about timing.
> > > 
> > 
> > Exactly.
> 
> This should be a different thread then since  this wasn't in the list I
> originally posted.
> 
> However,
> 
> this is considered an invalid package.mask entry since the package that
> was being masked is no longer in the tree [1].
> 
> This is just something that QA or anyone can clean up as far as I know.
> We don't worry about masking packages that no longer exist in the tree.
> 
> William
> 
> [1] http://qa-reports.gentoo.org/output/invalid-mask.txt

Probably this policy should be changed. It is a common (yet not
enfroced) rule to support at least one year old setups. Thus masks
should remain at least one year after package (or affected version
(s)) was removed from tree. People can't emerge world daily.

IMO it will hurt no-one to retain that list forever, maybe put it
to something like package.mask.obsolete and update PMS to support
it.

Best regards,
Andrew Savchenko


pgp809SdcWKBw.pgp
Description: PGP signature

Re: [gentoo-dev] qa last rites multiple packages

[Andrew Savchenko]

On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote:
> All,
> 
> these packages have been masked in the tree for months - years with no
> signs of fixes.

Some of them are binary packages or have no fixes upstream. If
there are no alternatives in tree for a package, and it works fine
(despite some bugs or issues), then let it be. If package is
broken, doesn't compile and upstream is dead, this is a possible
candidate for removal.

> # Ulrich Müller  (15 Jul 2014)
> # Permanently mask sys-libs/lib-compat and its reverse dependencies,
> # pending multiple security vulnerabilities and QA issues.
> # See bugs #515926

This is just QA.

> games-fps/rtcw

Works fine here. While there are possible security issues due to
510960, it is perfectly safe to be used in isolated environment
(e.g. a local game in a separate container).

> # Chris Gianelloni  (03 Mar 2008)
> # Masking due to security bug #194607 and security bug #204067
> games-fps/doom3
> games-fps/doom3-cdoom
> games-fps/doom3-chextrek
> games-fps/doom3-data
> games-fps/doom3-demo
> games-fps/doom3-ducttape
> games-fps/doom3-eventhorizon
> games-fps/doom3-hellcampaign
> games-fps/doom3-inhell
> games-fps/doom3-lms
> games-fps/doom3-mitm
> games-fps/doom3-phantasm
> games-fps/doom3-roe

Only doom3 is vulnerable here, other pacakegs s are just deps.
Both vulnerabilities are remote, so local users (e.g. if someone
just wants to play original doom3 without multiplayer game) are
perfectly safe.

Yet this issue may be fixed: doom3 released source code under GPL-3:
https://github.com/id-Software/DOOM-3
Maybe doom3 should be renamed to doom3-bin (if someone needs it for
whatever reason), and doom3 should be readded as a GPL-3 version.
Doom3 build from source works great for me.

Security issues are just format string handlings and should be easy
to fix with source code available, though considering how picky is
games team for changing network code outside of upstream, I really
doubt such patches have a chance to come to the tree.

> # Tavis Ormandy  (21 Mar 2006)
> # masked pending unresolved security issues #127167
> games-roguelike/slashem
> 
> # Tavis Ormandy  (21 Mar 2006)
> # masked pending unresolved security issues #125902
> games-roguelike/nethack
> games-util/hearse

Upstream doesn't consider these issues as bugs at all. This is a
clash of incompatible permission policies by games team and
nethack.
 
Best regards,
Andrew Savchenko


pgpLkk8l7IE8D.pgp
Description: PGP signature

Re: [gentoo-dev] Packages up for grabs

[Andrew Savchenko]

Hi,

On Wed, 07 Jan 2015 15:06:08 +0100 Pacho Ramos wrote:
> El lun, 01-12-2014 a las 12:00 +0100, Pacho Ramos escribió:
[...]
> > I will probably remove it in a week or so as looks like nobody added to
> > it :/
> 
> Done, this packages are now up for grabs:

> net-proxy/pingtunnel
> net-proxy/polipo
> net-proxy/privoxy
> net-proxy/tsocks

I'll take them if there are no other people interested.
If you are — feel free to add yourself to maintainers :)

Best regards,
Andrew Savchenko


pgpN3zFGU99dJ.pgp
Description: PGP signature

Re: [gentoo-dev] qa last rites multiple packages

[William Hubbs]

On Thu, Jan 08, 2015 at 04:26:02AM +0300, Andrew Savchenko wrote:
> On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote:
> > All,
> > 
> > these packages have been masked in the tree for months - years with no
> > signs of fixes.
> 
> Some of them are binary packages or have no fixes upstream. If
> there are no alternatives in tree for a package, and it works fine
> (despite some bugs or issues), then let it be. If package is
> broken, doesn't compile and upstream is dead, this is a possible
> candidate for removal.
> 
> > # Ulrich Müller  (15 Jul 2014)
> > # Permanently mask sys-libs/lib-compat and its reverse dependencies,
> > # pending multiple security vulnerabilities and QA issues.
> > # See bugs #515926
> 
> This is just QA.
> 
> > games-fps/rtcw
> 
> Works fine here. While there are possible security issues due to
> 510960, it is perfectly safe to be used in isolated environment
> (e.g. a local game in a separate container).
> 
> > # Chris Gianelloni  (03 Mar 2008)
> > # Masking due to security bug #194607 and security bug #204067
> > games-fps/doom3
> > games-fps/doom3-cdoom
> > games-fps/doom3-chextrek
> > games-fps/doom3-data
> > games-fps/doom3-demo
> > games-fps/doom3-ducttape
> > games-fps/doom3-eventhorizon
> > games-fps/doom3-hellcampaign
> > games-fps/doom3-inhell
> > games-fps/doom3-lms
> > games-fps/doom3-mitm
> > games-fps/doom3-phantasm
> > games-fps/doom3-roe
> 
> Only doom3 is vulnerable here, other pacakegs s are just deps.
> Both vulnerabilities are remote, so local users (e.g. if someone
> just wants to play original doom3 without multiplayer game) are
> perfectly safe.
> 
> Yet this issue may be fixed: doom3 released source code under GPL-3:
> https://github.com/id-Software/DOOM-3
> Maybe doom3 should be renamed to doom3-bin (if someone needs it for
> whatever reason), and doom3 should be readded as a GPL-3 version.
> Doom3 build from source works great for me.

This would be for the maintainers to decide, but if it is under gpl3
now, I would vote for adding the new version and getting rid of the old
one. I don't see a need to keep a binary proprietary product if the new
one is gpl'd.

This is why I posted this last rites, to get people to look at the
packages. :-)

William

> 
> Security issues are just format string handlings and should be easy
> to fix with source code available, though considering how picky is
> games team for changing network code outside of upstream, I really
> doubt such patches have a chance to come to the tree.
> 
> > # Tavis Ormandy  (21 Mar 2006)
> > # masked pending unresolved security issues #127167
> > games-roguelike/slashem
> > 
> > # Tavis Ormandy  (21 Mar 2006)
> > # masked pending unresolved security issues #125902
> > games-roguelike/nethack
> > games-util/hearse
> 
> Upstream doesn't consider these issues as bugs at all. This is a
> clash of incompatible permission policies by games team and
> nethack.
>  
> Best regards,
> Andrew Savchenko




signature.asc
Description: Digital signature

Re: [gentoo-dev] Re: qa last rites -- long list

[Daniel Campbell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/07/2015 04:19 PM, Jonathan Callen wrote:
> On 01/07/2015 12:15 PM, Matt Turner wrote:
>> On Wed, Jan 7, 2015 at 7:57 AM, William Hubbs 
>>  wrote:
>>> On Wed, Jan 07, 2015 at 06:49:56AM -0500, Philip Webb wrote:
 150106 William Hubbs wrote: This one is perfectly safe on a 
 single-user system : please leave it there.
>>> 
>>> I'm not opposed to it staying in the tree under one of these 
>>> conditions:
>>> 
>>> 1) fix it and remove the mask
>>> 
>>> or
>>> 
>>> 2) remove the mask and add ewarns to the ebuild
> 
>> Remove the mask that people have to see and actively disable in 
>> order to install the software and replace it with ewarn messages
>>  that they likely won't read?
> 
>> I don't see the problem with versions with security 
>> vulnerabilities masked in the tree. nethack in particular has 
>> been masked in the tree since 2006, so we have some precedence.
> 
> 
> 
> The only reason there is a security issue with nethack (and other 
> games like it) on Gentoo, and only on Gentoo, is that the games 
> team policy requires that all games have permissions 0750, with 
> group "games", and all users that should be allowed to run games
> be in the "games" group.  Nethack expects that it have permissions 
> 2755 (or 2711), with group "games" and that *no* users are members 
> of that group, so it can securely save files that are accessible
> to all users during gameplay ("bones" files) and ensure that the
> user cannot access/change their current save file.  These two 
> expectations are incompatible with each other, and end up creating 
> a security issue that upstream would never expect (as no users can 
> be in the "games" group traditionally).
> 
> 

Is Nethack's group expectation hard-coded? If not, then what's
stopping nethack from using another, self-made group (like 'nethack')
to arbitrate the bones files?

If it *is* hard-coded, then can we produce a (hopefully simple) patch?
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBAgAGBQJUrjCEAAoJEJUrb08JgYgHlQYH/RmOzRLebkffwJ3efcR7sCw7
i/CU1vBoHdyW86Us3X/PwYl47GSPKaiLTMhTnPNOtQP4wqdkHTXrG4fvQfLKP7Lg
RC8EkR0kgkdBSVqJIt70Gfxu0fV0o55rOf2bYcDC+RF1HLMWNTQ/e8SkcfDmUAum
EMRJnqUq3dsiIWbr/WeR27XWxlFz1Oo/jjIoGWvO6JodkZnsHbFlCalycAI1xQv5
05BecTx0FDwC1xWrdt3+UaoyrvOrIqz5mxiGM6B+WgEMU8OyURFprljX8a21WuFV
RcipixJvIKvxEmbI+cC0T9bapRfA1NBW+r6nVk1wsGiJwhJ2biF2HVS+ZwN9Y34=
=lEkc
-END PGP SIGNATURE-