On 01/21/2016 06:15 PM, Alexis Ballier wrote: > On Thu, 21 Jan 2016 10:53:58 -0600 > William Hubbs <willi...@gentoo.org> wrote: > >> I would like to see a possible timelimit set on how long packages can >> stay in maintainer-needed; once a package goes there, if we can't find >> someone to maintain it, we should consider booting it after that time >> limit passes. > > Note that maintainer-needed doesn't necessarily mean package is crap. > Some simply don't really need a maintainer because they just work. > >
However it can cause complications when issues are detected, in particular security relevant ones. Attaching a CSV of bugs assigned to security with maintainer-needed CCed. e.g app-text/htmltidy has multiple reverse dependecies but is itself maintainer needed with at least two vulnerabilities (bug 561452) -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
"Bug ID","Product","Component","Assignee","Status","Resolution","Summary","Changed"
571824,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","dev-db/firebird: authenticated remote crash by gbak invocation","2016-01-14 09:47:30"
537524,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-arch/ppmd: directory traversal","2016-01-10 17:07:17"
551144,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","<media-libs/libwmf-0.2.8.4-r6: heap overflow when decoding BMP images (CVE-2015-0848)","2016-01-10 14:20:56"
553818,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","<media-libs/libwmf-0.2.8.4-r6: Denial of Service (CVE-2015-{4588,4695,4696})","2016-01-10 10:41:41"
535708,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","<app-arch/arj-3.10.22-r5: two vulnerabilities (CVE-2015-{0556,0557})","2016-01-09 07:11:06"
561452,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-text/htmltidy: Two Denial of Service Vulnerabilities (CVE-2015-{5522,5523})","2016-01-08 14:11:28"
553604,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","net-mail/checkpw: DoS vulnerability (CVE-2015-0885)","2016-01-06 13:59:53"
537528,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-admin/usermin: Read Mail Module Vulnerability","2016-01-06 13:36:12"
536334,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","net-nds/389-ds-base: Information disclosure vulnerability (CVE-2014-3562)","2016-01-06 13:30:52"
515272,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","net-misc/italc: LZO Denial of Service and Arbitrary Code Execution through embedded code","2016-01-06 13:15:41"
499328,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","sys-apps/yum : ""YumCronBase()"" Package Spoofing Vulnerability (CVE-2014-0022)","2016-01-05 11:23:14"
541500,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-arch/arj: buffer overflow write access initiated by a size read from a crafted archive (CVE-2015-2782)","2015-12-31 04:57:10"
568398,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","dev-util/nsis: privilege escalation and code execution vulnerabilities in generated NSIS installers","2015-12-16 08:24:43"
562898,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-admin/lsyncd: Direct mode allwos injecting unauthorized filesystem operations","2015-11-29 16:41:48"
537522,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-arch/pax: directory traversal (CVE-2015-{1193,1194})","2015-11-25 04:33:59"
534184,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","app-misc/run-mailcap: Command Injection","2015-11-04 15:23:24"
548142,"Gentoo Security","Vulnerabilities","security","IN_PROGRESS","---","net-nds/389-ds-base: access control bypass with modrdn","2015-04-29 15:53:29"
signature.asc
Description: OpenPGP digital signature
