Both sides have valid points:
1) we should remove vulnerable cruft from the tree
2) we should not break dependencies for any arch, regardless of their
response time
I believe some communication adjustments could avoid unnecessary conflict.
If a package cannot be removed because a newer version
On Thu, 8 Feb 2007 22:34:32 +
Stephen Bennett [EMAIL PROTECTED] wrote:
If any of you were thinking of removing the latest stable version of a
package, don't. Even if you're the package maintainer, even if there
are open security bugs against it, even if someone has filed you a bug
On Sun, 11 Feb 2007 13:22:48 +0100 Kevin F. Quinn
[EMAIL PROTECTED] wrote:
| Do you object to such packages (specifically with security issues)
| being p.masked?
If it's forcing a downgrade, yes.
| I'm not sure we should be encouraging people to continue using
| packages when we know there are
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Kevin F. Quinn wrote:
Do you object to such packages (specifically with security issues) being
p.masked?
I'd say drop all but the slacking arch's keywords, as Luca suggested.
It may well be one of the security-unsupported arches anyway.
- --
On Sunday 11 February 2007, Ciaran McCreesh wrote:
On Sun, 11 Feb 2007 13:22:48 +0100 Kevin F. Quinn
| I'm not sure we should be encouraging people to continue using
| packages when we know there are known security issues.
You assume that being affected by a local denial of service on a
On Sun, 11 Feb 2007 07:56:29 -0500
Mike Frysinger [EMAIL PROTECTED] wrote:
wonder if there'd be a way of levaraging the glsa access tags ...
if (remote in access) screw over $ARCH in KEYWORDS
-mike
If it's a security-unsupported arch we probably don't even care about
that enough to lose
On Sun, 11 Feb 2007 12:33:52 +
Ciaran McCreesh [EMAIL PROTECTED] wrote:
On Sun, 11 Feb 2007 13:22:48 +0100 Kevin F. Quinn
[EMAIL PROTECTED] wrote:
| Do you object to such packages (specifically with security issues)
| being p.masked?
If it's forcing a downgrade, yes.
| I'm not sure
On Sun, 11 Feb 2007, Kevin F. Quinn wrote:
I think if we're to promote packages that have security issues on an
arch, we need to be very clear that we're not making reasonable efforts
to ensure that arch is free of known exploits.
I agree. The term promote is perhaps a little bit
On Sun, 11 Feb 2007 15:42:33 +0100 Kevin F. Quinn
[EMAIL PROTECTED] wrote:
| I said nothing about local denial of service; perhaps you're thinking
| of a particular instance - I'm not. To rhetorically follow your line
| of discussion, you're happy to have remote exploits remain in the tree
|
Ciaran McCreesh [EMAIL PROTECTED] wrote:
On Sun, 11 Feb 2007 15:42:33 +0100 Kevin F. Quinn wrote:
| I said nothing about local denial of service; perhaps you're thinking
| of a particular instance - I'm not. To rhetorically follow your line
| of discussion, you're happy to have remote
On Sun, 11 Feb 2007 17:18:45 +0100 Matti Bickel [EMAIL PROTECTED] wrote:
| And i understood he argued quite the opposite. To my knowledge the
| security team p.masks common (type A and B) packages, and i'm sure
| they don't do this for nothing, though i agree that probably should be
| left for
Ciaran McCreesh napsal(a):
| * Don't remove packages that will end up breaking the tree or
| forcing downgrades; conversely, when vulnerable packages *can* be
| removed safely, do so.
|
| And is/should be done right now :-)
No, what's done right now is that Jakub files whiny bugs
On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| - I'm *not* demanding anything from *arch teams*, the bugs are for
| *maintainers* of those packages. I've already told you couple of
| times, why are you making these misleading statements yet again?
And yet, somehow
Ciaran McCreesh napsal(a):
On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| - I'm *not* demanding anything from *arch teams*, the bugs are for
| *maintainers* of those packages. I've already told you couple of
| times, why are you making these misleading statements yet
On Sun, 11 Feb 2007 18:49:21 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| Why should I assign bugs to arch teams??? Arch teams are not supposed
| to punt stuff from the tree, it's maintainer's job.
Because the arch teams have to do work before the maintainers can do
anything.
| *All* the recent
On Sun, Feb 11, 2007 at 05:40:27PM +, Ciaran McCreesh wrote:
On Sun, 11 Feb 2007 18:30:43 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| - I'm *not* demanding anything from *arch teams*, the bugs are for
| *maintainers* of those packages. I've already told you couple of
| times, why are you
Ciaran McCreesh napsal(a):
| Screaming? WTF really. What's misleading about listing vulnerable
| versions and asking for their removal?
They can't be removed yet. Stop filing bugs telling people to do so.
Eh? Why should I stop filing bugs about stale vulnerable cruft? Should
it stay in the
On Sun, 11 Feb 2007 19:50:02 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| Ciaran McCreesh napsal(a):
| | Screaming? WTF really. What's misleading about listing vulnerable
| | versions and asking for their removal?
|
| They can't be removed yet. Stop filing bugs telling people to do so.
|
| Eh?
Alexander Færøy napsal(a):
Hi,
On Sun, Feb 11, 2007 at 07:50:02PM +0100, Jakub Moc wrote:
Eh? Why should I stop filing bugs about stale vulnerable cruft? Should
it stay in the tree forever (unless some $we_all_know_which_arch dev
wakes up by miracle and moves)?
If you give away enough
On Sun, 11 Feb 2007 21:33:59 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| So, what are you blaming me for here? Grrr.
Misassigning or premature filing, as you prefer.
--
Ciaran McCreesh
Mail: ciaranm at ciaranm.org
Web :
Jakub Moc [EMAIL PROTECTED] wrote:
Ciaran McCreesh napsal(a):
| Screaming? WTF really. What's misleading about listing vulnerable
| versions and asking for their removal?
They can't be removed yet. Stop filing bugs telling people to do so.
Eh? Why should I stop filing bugs about stale
On Sun, 11 Feb 2007 19:50:02 +0100
Jakub Moc [EMAIL PROTECTED] wrote:
Won't waste my time on your trollish rants any more.
Hehe, whenever you write this, there's always several more posts from you down
the same thread. It's kind of amusing.
--
Andrej Ticho Kacian ticho at gentoo dot org
Ciaran McCreesh napsal(a):
On Sun, 11 Feb 2007 21:33:59 +0100 Jakub Moc [EMAIL PROTECTED] wrote:
| So, what are you blaming me for here? Grrr.
Misassigning or premature filing, as you prefer.
Oh sure... Next time, blame me for Sept 11, keep amusing us by your
bullshit.
--
Best regards,
Matti Bickel napsal(a):
How about cc'ing arches, which are affected by this? You still get your
point across and maybe arches move it up their priority list if they see
a removal b/c of centuries old vulnerabilities.
I did CC mips, and did write that it needs version x.y.z stabilized
first.
On Sun, 11 Feb 2007 22:23:44 +0100
Jakub Moc [EMAIL PROTECTED] wrote:
Oh sure... Next time, blame me for Sept 11, keep amusing us by your
bullshit.
If you like, I can say that you killed Jesus and were single-handedly
responsible for the extinction of the dinosaurs. Would that make you
happy?
On Sun, 11 Feb 2007 21:52:55 +0100 Matti Bickel [EMAIL PROTECTED] wrote:
| How about cc'ing arches, which are affected by this? You still get
| your point across and maybe arches move it up their priority list if
| they see a removal b/c of centuries old vulnerabilities.
How about assigning the
On Sun, 2007-11-02 at 22:46 +, Stephen Bennett wrote:
On Sun, 11 Feb 2007 22:23:44 +0100
Jakub Moc [EMAIL PROTECTED] wrote:
Oh sure... Next time, blame me for Sept 11, keep amusing us by your
bullshit.
If you like, I can say that you killed Jesus and were single-handedly
If any of you were thinking of removing the latest stable version of a
package, don't. Even if you're the package maintainer, even if there
are open security bugs against it, even if someone has filed you a bug
requesting that it be removed. If it's the latest stable version on any
architecture,
28 matches
Mail list logo