Please remove the following ebuilds as they are vulnerable to GLSA 200809-04 ( http://www.gentoo.org/security/en/glsa/glsa-200809-04.xml ) : =dev-db/mysql-4.1.22-r1 =dev-db/mysql-5.0.44-r1 =dev-db/mysql-5.0.44-r2 =dev-db/mysql-4.0.27-r1 =dev-db/mysql-5.0.26-r2 =dev-db/mysql-5.0.54 =dev-db/mysql-5.0.40 =dev-db/mysql-5.0.38 =dev-db/mysql-5.0.42 Note that other (unstable) atoms might be missing from this list that are vulnerable to the same GLSA. Please remove those as well.
Note there is also GLSA 200804-04, GLSA 200711-25, GLSA 200711-25 and GLSA 200705-11 affecting some of these versions.
- I will NOT remove =dev-db/mysql-4.1.22-r1 as it exists for users that can't upgrade to a newer series for other reasons. - I'm loath to remove other old versions as well, as they have been very useful in tracing where bugs were introduced by upstream. Removing the ebuilds means the patch tarballs are going to start to vanish off the mirrors, making it hard for users to just recover the ebuild for testing.
As you point out, it's benificial for users to have those old ebuilds around. Can we make it more apparant that they are not supported anymore then? That is, remove keywords or package mask them, stating that the packages should not be used in public/production environments?
I'm fine with package.mask of the old ones.
# Jeremy Olexa <darkside@gentoo.org> (28 Jul 2009) # On behalf of Robin H. Johnson <robbat2@gentoo.org>. # These versions are vulnerable to GLSA's and should not be used. They will stay # in the tree because they are useful to tracking down bugs. You have been # warned. <dev-db/mysql-5.0.60-r1 I went with 5.0.60-r1, because that is what the GLSA said even though it was different than this bug title. http://www.gentoo.org/security/en/glsa/glsa-200809-04.xml This bug can be resolved after Robin takes a look as the maintainer.
The package.mask is fine, closing bug, not removing old packages.
had to mask virtuals as well. # Jeremy Olexa <darkside@gentoo.org> (28 Jul 2009) # On behalf of Robin H. Johnson <robbat2@gentoo.org>. # These versions are vulnerable to GLSA's and should not be used. They will stay # in the tree because they are useful to tracking down bugs. You have been # warned. bug 271686 <dev-db/mysql-5.0.60-r1 <virtual/mysql-5.