On 25/09/14 08:42 AM, Andrew Savchenko wrote: > Hello, > > many packages in tree are masked due to security issues instead of > issuing GLSA for them. Why? At this moment I counted 56 such > packages in package.mask. > > Some of these packages have GLSAs issued (e.g. nethack and friends) > and have no fixes, so this is understandable. But most packages are > just masked "due to security bugs", I recently stumbled upon: > ppp, mariadb, mysql, vlc... > > Why such masking is bad? Because it undermines the whole idea of > GLSA as a sole security provider for Gentoo users. > > I manage about 50 Gentoo boxes (with more than 10 unique setups) > and I'm not an update monkey to update them weekly. My usual > workflow is to emerge all world somewhere within 6 month and 1 > year, but to install security updates regularly and critical ones > ASAP. GLSA serves this purpose well (Yes, I understood that > security team can't embrace all issues so some extra lookup for > CVEs is needed as well). But security-masked packages undermine > such approach, because they're not listed in glsa-check -l affected > and message about masked packages doesn't appear in elog, only on > top of build log, which is likely to be lost. > > Best regards, > Andrew Savchenko >
1. one of your examples is clearly wrong, mariadb has no masked versions in the tree. 2. since you claim to have read package.mask, you will have noticed that each mask (bar one) has a bug attached or easily accessible via alias. the single one that does not have a bug number can easily be found via search on the package name. if you bothered to read a single one of them, they will have said that there is a GLSA in progress or that stabilization is still in progress. 3. if you want to use old-ass packages from the age of bourne shell, use debian, not gentoo.
signature.asc
Description: OpenPGP digital signature
