Comment 1 SpanKY 2012-11-25 17:52:12 UTC

i don't see the point

Comment 2 Agostino Sarubbo 2012-11-25 18:08:05 UTC

(In reply to comment #1)
> i don't see the point

the point is very very easy. The rule is: the maintainer must remove the vulnerable ebuilds from the tree to avoid users that accidentally could install them.

If it is a particular case, like bash, if you want to keep it in the tree, you need to mask it, to avoid users that accidentally could install them.

What's not clear?

Comment 3 SpanKY 2013-12-22 23:43:27 UTC

(In reply to Agostino Sarubbo from comment #2)

users don't accidentally install older bash.  even then, anyone relying on `rbash` as a security solution deserves to be owned.

hard rules that don't take into account the realities are stupid rules.

we're not dropping old bash versions.

Comment 4 Sergey Popov (RETIRED) 2014-03-20 10:16:08 UTC

Even if they are slotted now, they are still vulnerable(and they are stable), so, if users are definitely sure to use them - they can unmask them.

CCing security@ to this discussion

Comment 5 SpanKY 2015-10-20 20:35:05 UTC

we're not masking them, although it's moot now that the fix is backported