Ready?
Note that per the discussion in the bug, it's not really a security stabilisation.
I have been using 5.0,1 for over two weeks and I think it's stable enough. However, as Sam noticed, this is not a security matter and it has been two weeks since 5.0.1 was introduced to the tree and I see no reason to hasten the stabilization. I think patching 4.6.7 is way more important as that is the stable and vulnerable package.
I'm really confused now. Either there is a security bug, or there is none? Note that patching 4.6.7 would equally require revbumping and re-stabilisation, so in cases where a stable enough newer version already exists, we usually prefer just going with that instead, even before a 30 day threshold.
The package has a genuine security vulnerability but only on macOS (and Windows) which means Gentoo Prefix. It is not a matter for Gentoo Security as the security team treats Prefix usage as out of scope. No GLSA, and it's not clear there is a benefit to stabilization either. But it's been over half the usual 30-day period for stabilization, the package update seems to be working well, no issues have been reported, and I'd feel comfortable stabilizing if the policy didn't say "30 days". Moreover, it can sometimes be easier to tell people "we package version 5.0.1" than "in our configuration the issue cannot be encountered so even though it's a vulnerable version it's not a vulnerable install". So maybe stabilizing early is fine anyway? I don't have strong feelings about what to do here. Feedback welcome.
Looking at the not so big changelog over 5.0.0 (which had been in ::gentoo since Oct 1st) may help with a decision as well: https://github.com/qbittorrent/qBittorrent/blob/release-5.0.1/Changelog
So what now? Rather move to 5.0.2 already?
5.0.1: > slot(0) no change in 40 days for unstable keywords: [ ~amd64, ~x86 ] Let's do it.
How did that box get checked???
amd64 done
x86 done all arches done
