2010/10/28 Pavel Labushev <p.labushev@gmail.com>
> > I didn't test that patch; even if it's incorrect, bugreport is not about
> > a patch. It's about a security issue.
>
> Well, the bug report is about the patch. There's another bug about the
> issues with LD_AUDIT: https://bugs.gentoo.org/show_bug.cgi?id=341755
>
"The beat goes on! Nothings wrong!...". Tell me - If app have bug - like
"calc" ;) app in KDE - who uses it? Developers will not patch app because
it's less then 1% users that use it in KDE? I don't think so. Even if it's
lower priority patch i think it should be included in mainstream. It's like
buying a car, that closes by remote but 1% of users will still use key for
central lock - ups! None included? Service: "Sorry! That's not mainstream
;). You must install it by Yourself" :].
>
> > This proof-of-concept exploit still works in gentoo (amd64 stable at
> least,
> > even hardened!), because some dangerous variables are not filtered out.
>
> It still works because glibc-2.11.2-r2 with the fix is still keyworded
> (yeah, epic fail goes on).
>
>
Let's keyword everything, push "da blocks, man!" on every package and this
will be most secured distro :>. Great Job! :)
I think, that Gentoo Devs forget about something more important in today's
world - USABILITY. The "normal" user without "extra abilities" will not
Patch anything because he don't even know what PATCH is. Developers have
those users TOO on Gentoo. This is strenght of Mandriva, Debian-like distros
(Ubuntu line specialy). Users click and software works, it upgrades and if
bug is get the patch is downloaded with latest update. Tell mister "Marian"
from accounting that he must PATCH something. I like that kind of face look
of that people after saying that Junk -> :] "Yeah! Sure... What icon should
I press in My "K" Menu?".
Devs should include patches in mainstream even if it's less prior patch.
Why? Because it takes about 2-10 (knowledge level) minutes extra and drops
discussions like this one. 10 Minutes extra VS silence - i think it's fair
:).
--
Mateusz Mierzwiñski
Bluebox Software [PL]
Neural Networks, Artificial Perception and Artificial Intelligence projects
coordinator