| 1 |
On 05/07/2016 15:07, james wrote: |
| 2 |
> On 07/05/2016 06:25 AM, Rich Freeman wrote: |
| 3 |
>> On Mon, Jul 4, 2016 at 11:26 PM, Aaron Bauman <bman@g.o> wrote: |
| 4 |
>>> |
| 5 |
>>> The subject of this particular mailing list post is a little alarming |
| 6 |
>>> and |
| 7 |
>>> over reactive. We are not running around p.masking everyone's |
| 8 |
>>> packages, but |
| 9 |
>>> issues that have been outstanding for years often result in such |
| 10 |
>>> courses of |
| 11 |
>>> action. I personally told Anthony I should have requested his |
| 12 |
>>> assistance |
| 13 |
>>> initially on the matter, and I do apologize for that. He is an active |
| 14 |
>>> developer who would respond in a timely manner. So once again, I do |
| 15 |
>>> apologize. |
| 16 |
>> |
| 17 |
>> Thanks, and my intent wasn't to suggest that I thought there was any |
| 18 |
>> kind of a trend here. I just wanted to agree that this shouldn't be |
| 19 |
>> how it happens. It sounds like we're already on the same page, which |
| 20 |
>> isn't surprising since this was the first complaint I've heard in a |
| 21 |
>> while. |
| 22 |
>> |
| 23 |
>>> Finally, that does not dissolve the developer of providing usable, |
| 24 |
>>> substantiated, and verifiable information regarding the vulnerabilities. |
| 25 |
>>> The idea that a developer gets to choose whether or not they do so |
| 26 |
>>> should |
| 27 |
>>> not be considered. |
| 28 |
>> |
| 29 |
>> Also agree. I think we need to have a reasonable security policy, but |
| 30 |
>> clearly there can't be unresolved questions about whether a particular |
| 31 |
>> package-version is vulnerable or not. If we don't get a question like |
| 32 |
>> that resolved in a timely manner then the version should be masked. |
| 33 |
>> Users can then make an informed decision as to whether they want to |
| 34 |
>> take the risk in unmasking it. |
| 35 |
>> |
| 36 |
>> Our security policies are a tree-wide QA commitment that our users |
| 37 |
>> rely on. We shouldn't advertise a security policy that we aren't |
| 38 |
>> willing to enforce. |
| 39 |
> |
| 40 |
> As an old C hack, and user of gentoo for over a decade, I understand the |
| 41 |
> positions being articulated herein. However, I think there is a |
| 42 |
> fundamental perspective that is missing, so I shall attempt to |
| 43 |
> illuminate that perspective. 'C' is still a magical and most important |
| 44 |
> language. It is the transitive language between large, complicated |
| 45 |
> systems, and hardware. Like it or not, without hardware, there are no |
| 46 |
> systems. |
| 47 |
> |
| 48 |
> There are many new and modern languages with wonderful features. I get |
| 49 |
> that, and appreciated that they are needed and desired. But modern |
| 50 |
> (security and usefulness) metrics are being applied to old codes that |
| 51 |
> are useful for a variety of reasons, beyond compiling them and using them. |
| 52 |
> |
| 53 |
> There is an intersection between minimal unix (minimal gentoo in our |
| 54 |
> case) and embedded systems. Docker, many would cite as the leader in |
| 55 |
> commercial container deployments, has realized that minimal is better, |
| 56 |
> faster, easier to secure and can always be 'scaled up' by adding more |
| 57 |
> codes (hence they subsumed Alpine Linux). |
| 58 |
> |
| 59 |
> Gentoo has a rich, legacy in old, simpler codes that bridge embedded |
| 60 |
> linux to (bloated/full-featured) linux. Those old codes that appear to |
| 61 |
> many as useless, indeed form a narrow bridge to both the past and the |
| 62 |
> logic/tricks/methods to get various types of hardware working in a |
| 63 |
> minimal or embedded environment. They are often 'single function' codes |
| 64 |
> without the complexity of a gui or bloated formations. They are easy to |
| 65 |
> read and with a CLI focus, allow a developer to see how some things |
| 66 |
> work. Those old codes, folks are quick to purge now, often contain |
| 67 |
> logical information on how to talk to hardware. (think ethernet for one). |
| 68 |
> |
| 69 |
> |
| 70 |
> So when we had 'the attic' I was fine with codes being purged by |
| 71 |
> whomever. There is no easy to use equivalent in github (and believe me, |
| 72 |
> I'm a noooooob at github), so I have much anxiety about what, from my |
| 73 |
> perspective, appears to be needless purging of many old codes. I have no |
| 74 |
> problem with removal from the official tree, but I'd like to keep them |
| 75 |
> around, regardless of any security, brokeness or un-maintained status. I |
| 76 |
> completely OK with tree-cleaning, just a soon as the ink dries on the |
| 77 |
> new wiki pages that guarantee archival of old codes. Security, is |
| 78 |
> important, but not the main issue from my perspective. Maintenance of |
| 79 |
> old codes, particularly written in C and related to hardware or logic of |
| 80 |
> minimal systems, is keenly important to me. If gentoo remains 'a good |
| 81 |
> stuart' of these codes, it just another mechanism |
| 82 |
> to distinguish our distro, imho. |
| 83 |
> |
| 84 |
> So I would ask (beg if necessary) the kind folks that are the gentoo |
| 85 |
> devs to figure out a way to archive those old codes, and document how to |
| 86 |
> retrieve them, via github, as the attic too is probably like sunrise and |
| 87 |
> such, headed towards deprecation and the chopping block..... |
| 88 |
|
| 89 |
|
| 90 |
s/github/git/g |
| 91 |
|
| 92 |
Big difference. Gentoo's tree is not hosted on github, and infra isn't |
| 93 |
going to put an attic equivalent there. |
| 94 |
|
| 95 |
|
| 96 |
|
| 97 |
|
| 98 |
-- |
| 99 |
Alan McKinnon |
| 100 |
alan.mckinnon@×××××.com |
Archives