I've opened https://github.com/gentoo/gentoo/pull/11002 to deal with this issue three days before the bug report was filed, but unfortunately nobody has picked up the PR yet.

Comment 2 Jeroen Roovers (RETIRED) 2019-02-10 15:42:21 UTC

(In reply to Ralph Seichter from comment #1)
> three days before the bug report was filed, but unfortunately nobody
> has picked up the PR yet.

Because no one was aware that there was a security issue to fix? Maybe the PR process can be improved with flags that signal security bugs to people who need to know about it? Or you just file your own security bug reports?

Allowing pull request authors to add flags like "security related" is something I'd appreciate. I included the term security in the PR's subject line, but apparently that is not enough to make a pull request stand out, given the volume that needs to be processed.

Comment 4 Kristian Fiskerstrand (RETIRED) 2019-02-10 23:30:34 UTC

(In reply to Ralph Seichter from comment #3)
> Allowing pull request authors to add flags like "security related" is
> something I'd appreciate. I included the term security in the PR's subject
> line, but apparently that is not enough to make a pull request stand out,
> given the volume that needs to be processed.

The only acceptable workflow for Gentoo is the bugtracker, so it needs to be within this context.

(In reply to Kristian Fiskerstrand from comment #4)

> The only acceptable workflow for Gentoo is the bugtracker [...]
That's not how I interpret what I read on the Gentoo Developers mailing list over the last months. My understanding is that using GitHub is the predominant way to get changes into the Gentoo tree, not Bugzilla.

I don't mean to start a debate here; that's something for the mailing list.

Comment 6 Larry the Git Cow 2019-08-04 11:11:11 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=11fab555d65c1148e80b372503750765f8b04e10

commit 11fab555d65c1148e80b372503750765f8b04e10
Author:     Ralph Seichter <gentoo@seichter.de>
AuthorDate: 2019-08-04 10:40:45 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2019-08-04 11:08:46 +0000

    www-servers/nginx-unit: Remove obsolete ebuilds
    
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Ralph Seichter <gentoo@seichter.de>
    Bug: https://bugs.gentoo.org/677644
    Closes: https://github.com/gentoo/gentoo/pull/12616
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 www-servers/nginx-unit/Manifest                 |  5 --
 www-servers/nginx-unit/nginx-unit-1.3-r1.ebuild | 52 -------------------
 www-servers/nginx-unit/nginx-unit-1.3.ebuild    | 39 ---------------
 www-servers/nginx-unit/nginx-unit-1.5.ebuild    | 66 -------------------------
 www-servers/nginx-unit/nginx-unit-1.6.ebuild    | 66 -------------------------
 www-servers/nginx-unit/nginx-unit-1.7.1.ebuild  | 66 -------------------------
 www-servers/nginx-unit/nginx-unit-1.7.ebuild    | 66 -------------------------
 7 files changed, 360 deletions(-)

Comment 7 Michał Górny 2019-08-04 11:12:04 UTC

I think this cleans up all vulnerable versions.  Security, please do your dance.