On Wednesday 09 January 2008 18:16:24 Ciaran McCreesh wrote: > On Wed, 09 Jan 2008 17:27:52 +0000 > > Roy Marples <[EMAIL PROTECTED]> wrote: > > On Wed, 2008-01-09 at 17:01 +0000, Ciaran McCreesh wrote: > > > 3.5.5 was good enough to be keyworded stable at one point. Thus, it > > > can't be *that* bad. > > > > So what happens if a flaw is discovered in KDE 3.5.5 that allows root > > access? > > Then the one particular part of 3.5.5 that's affected gets fixed and > priority keyworded.
Lets say that there's just 3.5.5 and 3.5.8 in the tree. 3.5.5 is keyworded stable mips 3.5.8 doesn't have the mips keyword because it's horribly broken on mips A security flaw is discovered in 3.5.5, the solution is to upgrade to 3.5.8. This flaw involves code that has radically changed from 3.5.5 to 3.5.8. For the sake of argument say it will take 1 month of time for anyone to create a patch for 3.5.5 that fixes the flaw OR makes 3.5.8 magically work on mips. During this month, what do you propose happens to the end user? The choices are 1) Carry on as we are, user is blissfully unaware of security flaw and doesn't have time to read GLSA's, etc has he's busy with real life thereby giving Gentoo the reputation of shipping insecure software. 2) Force the user to spend a few minutes adding 3.5.5 to a package.unmask, thereby acknowledging the security flaw but by his own choice keeping the highly insecure software. Thanks Roy -- gentoo-dev@lists.gentoo.org mailing list