"Stefan Cornelius" <[EMAIL PROTECTED]> writes: > The maintainer provides a new ebuild, but (s)he is not allowed to > stable of for any architecture, unless (s)he is a member of that > architecture team. So often you have a fixed ebuild within the first > day, but testing and stabling takes some time. (But sometime, you > also have to wait weeks for a patch. But that is another story). > > If this is update is so important to admins, they are welcome to > monitor our bugzilla activity to get 0-sec announcements of fixed > ebuilds.
Another possibility is that the version in ~arch already has the fix, so that there might not be a new ebuild. There might be other reasons, such as dependencies on other ~arch packages, for a delay in stabilising the version with the fix. In these cases it would be useful to have a security announcement stating the ~arch version is not vulnerable and giving the reasons why the package cannot be made stable in a timely manner. This would give the administrators enough information to make their own risk assessment as to whether to upgrade to the ~arch version (and all it dependencies) or keep running the vulnerable version until the fix is put into stable. -- gentoo-security@gentoo.org mailing list
