On Thu, Jan 08, 2015 at 04:26:02AM +0300, Andrew Savchenko wrote: > On Tue, 6 Jan 2015 17:47:10 -0600 William Hubbs wrote: > > All, > > > > these packages have been masked in the tree for months - years with no > > signs of fixes. > > Some of them are binary packages or have no fixes upstream. If > there are no alternatives in tree for a package, and it works fine > (despite some bugs or issues), then let it be. If package is > broken, doesn't compile and upstream is dead, this is a possible > candidate for removal. > > > # Ulrich Müller <u...@gentoo.org> (15 Jul 2014) > > # Permanently mask sys-libs/lib-compat and its reverse dependencies, > > # pending multiple security vulnerabilities and QA issues. > > # See bugs #515926 > > This is just QA. > > > games-fps/rtcw > > Works fine here. While there are possible security issues due to > 510960, it is perfectly safe to be used in isolated environment > (e.g. a local game in a separate container). > > > # Chris Gianelloni <wolf3...@gentoo.org> (03 Mar 2008) > > # Masking due to security bug #194607 and security bug #204067 > > games-fps/doom3 > > games-fps/doom3-cdoom > > games-fps/doom3-chextrek > > games-fps/doom3-data > > games-fps/doom3-demo > > games-fps/doom3-ducttape > > games-fps/doom3-eventhorizon > > games-fps/doom3-hellcampaign > > games-fps/doom3-inhell > > games-fps/doom3-lms > > games-fps/doom3-mitm > > games-fps/doom3-phantasm > > games-fps/doom3-roe > > Only doom3 is vulnerable here, other pacakegs s are just deps. > Both vulnerabilities are remote, so local users (e.g. if someone > just wants to play original doom3 without multiplayer game) are > perfectly safe. > > Yet this issue may be fixed: doom3 released source code under GPL-3: > https://github.com/id-Software/DOOM-3 > Maybe doom3 should be renamed to doom3-bin (if someone needs it for > whatever reason), and doom3 should be readded as a GPL-3 version. > Doom3 build from source works great for me.
This would be for the maintainers to decide, but if it is under gpl3 now, I would vote for adding the new version and getting rid of the old one. I don't see a need to keep a binary proprietary product if the new one is gpl'd. This is why I posted this last rites, to get people to look at the packages. :-) William > > Security issues are just format string handlings and should be easy > to fix with source code available, though considering how picky is > games team for changing network code outside of upstream, I really > doubt such patches have a chance to come to the tree. > > > # Tavis Ormandy <tav...@gentoo.org> (21 Mar 2006) > > # masked pending unresolved security issues #127167 > > games-roguelike/slashem > > > > # Tavis Ormandy <tav...@gentoo.org> (21 Mar 2006) > > # masked pending unresolved security issues #125902 > > games-roguelike/nethack > > games-util/hearse > > Upstream doesn't consider these issues as bugs at all. This is a > clash of incompatible permission policies by games team and > nethack. > > Best regards, > Andrew Savchenko
signature.asc
Description: Digital signature
