On Thursday 03 August 2006 04:56, Brian Harring wrote: <snipped alot> > Besides... frankly it's kind of BS to push the vuln angle onto sunrise > when gentoo can't even clean out years old vulnerable packages from > gentoo-x86 (that doesn't absolve sunrise from having to watch it, nor > a potshot at the understaffed security team, merely that double > standards suck). Just to clarify: AFAIR it has never been policy to remove vulnerable ebuilds.
The Security Team leaves that up to the maintainers. For some issues it does make sense to keep vulnerable ebuilds in the tree (ie. latest Apache (GLSA 200608-01, when not using mod_rewrite). -- Sune Kloppenborg Jeppesen (Jaervosz) Operational Manager Gentoo Linux Security Team http://security.gentoo.org -- gentoo-dev@gentoo.org mailing list
