Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 164182 - media-gfx/imagemagick security cleanup needed
Summary: media-gfx/imagemagick security cleanup needed
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Development (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Karol Wojtaszek (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-28 10:08 UTC by Jakub Moc (RETIRED)
Modified: 2007-05-31 10:56 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jakub Moc (RETIRED) gentoo-dev 2007-01-28 10:08:59 UTC
media-gfx/imagemagick-6.2.9.5: vulnerable via glsa(200611-19) ( ver < 6.3.0.5 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc-macos', 'ppc64', 'sh', 'sparc', 'x86', 'x86-fbsd')
media-gfx/imagemagick-6.2.9.5-r1: vulnerable via glsa(200611-19) ( ver < 6.3.0.5 ), affects ('alpha', 'amd64', 'arm', 'hppa', 'ia64', 'mips', 'ppc', 'ppc-macos', 'ppc64', 'sh', 'sparc', 'x86', 'x86-fbsd')

Please, remove the above once 6.3.0.5 has been stabilized on mips. Thanks. :)
Comment 1 solar (RETIRED) gentoo-dev 2007-02-11 20:24:51 UTC
Seems the standard trolls are coming out of the woodwork about this bug. I'd like to comment.

Jakub clearly stated after mips was stabilized. In reality that is even 
not a concern at this time. If it's an unsupported security arch then
said $ARCH is simply out of luck in these situations. There is no
guarantees what so ever that maintainers need to bother concerning
themselves with keyword dropping for a arch that is unsupported. The
only way to make any reasonable guarantees what so ever is to become a
supported arch. While in an ideal world it would be nice and not screw
up an arch.
Comment 2 Ciaran McCreesh 2007-02-11 20:34:41 UTC
(In reply to comment #1)
> Seems the standard trolls are coming out of the woodwork about this bug. I'd
> Jakub clearly stated after mips was stabilized. In reality that is even 
> not a concern at this time. If it's an unsupported security arch then
> said $ARCH is simply out of luck in these situations. There is no
> guarantees what so ever that maintainers need to bother concerning
> themselves with keyword dropping for a arch that is unsupported.

Untrue. You need to read the keywording policy again.

Also remember that dropping the last stable of a package like this one leads to hundreds of broken deps across the tree. Waving around the 'security' flag is no excuse for this.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2007-02-11 20:40:44 UTC
(In reply to comment #2)
> (In reply to comment #1)
> Also remember that dropping the last stable of a package like this one leads to
> hundreds of broken deps across the tree. Waving around the 'security' flag is
> no excuse for this.

OMG, drama queen on the sceen... Hundreds?! Exactly two: app-doc/gimp-help and media-gfx/gimp-print. 
Comment 4 Bryan Østergaard (RETIRED) gentoo-dev 2007-02-11 20:41:07 UTC
(In reply to comment #1)
> Seems the standard trolls are coming out of the woodwork about this bug. I'd
> like to comment.
> 
> Jakub clearly stated after mips was stabilized. In reality that is even 
> not a concern at this time. If it's an unsupported security arch then
> said $ARCH is simply out of luck in these situations. There is no
> guarantees what so ever that maintainers need to bother concerning
> themselves with keyword dropping for a arch that is unsupported. The
> only way to make any reasonable guarantees what so ever is to become a
> supported arch. While in an ideal world it would be nice and not screw
> up an arch.
> 
No, policy is quite clear on this. You don't remove the newest stable version on any arch and you don't remove any versions breaking dependencies.


What you can do is remove keywords from archs with newer stable versions and reassign bugs for security affected versions to the team(s) that still haven't keyworded a newer version.

This has been the policy forever as documented on http://www.gentoo.org/proj/en/devrel/handbook/handbook.xml?part=2&chap=5#doc_chap7

So sekretarz did break policy in this case even though jakub stated that mips had to be stabled first.
Comment 5 Stephen Bennett (RETIRED) gentoo-dev 2007-02-11 20:48:17 UTC
(In reply to comment #1)
> If it's an unsupported security arch then
> said $ARCH is simply out of luck in these situations. There is no
> guarantees what so ever that maintainers need to bother concerning
> themselves with keyword dropping for a arch that is unsupported.

Not even remotely true. You do not break arch keywording, regardless of justification.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2007-02-11 20:54:22 UTC
Closing this bug. Move your debates to mailing list or somewhere else (like, file yourself a MIPS stabilization bug if you really wish). This is not a discussion forum and I'm not interested in taking part in this and receiving further mails in my already flooded mailbox.