1 |
Sorry guys, |
2 |
|
3 |
|
4 |
I just can't let go of this thread. I've become Dependant upon it for |
5 |
my daily dose of drama. I NEED to hear people flame and bicker all day |
6 |
long...!! |
7 |
|
8 |
Seriously though, this thread about portage signing has made me think |
9 |
more thoroughly about gentoo and its security needs. |
10 |
|
11 |
I decided tonight to take a step back, and look at what the gentoo web |
12 |
site has to say about security. And the answer, which came as a |
13 |
surprise to me, was very little. |
14 |
|
15 |
|
16 |
I'm not sure how to interpret this. I will admit that I have not yet |
17 |
surveyed other open source projects' websites to compare their relative |
18 |
emphases on security. But I was surprised to see how little mention |
19 |
this big issue receives in the gentoo press, so to speak. |
20 |
|
21 |
It occurs to me that this lack of transparency is perhaps somewhat to |
22 |
blame for the flame war that we're all hopefully healing from by now. I |
23 |
really don't know what I should expect from gentoo in terms of security, |
24 |
other than having a general understanding that upstream packages will be |
25 |
maintained with security fixes. But clearly, creating a secure distro |
26 |
involves more than just package maintenance. And clearly, more _IS_ |
27 |
being done than just upstream package maintenance. I just have no idea |
28 |
what. |
29 |
|
30 |
In other words, I don't see any mention of security in the gentoo |
31 |
philosophy or in the social contract. With all of the "fix it yourself |
32 |
if you don't like it" comments I've seen in this thread, I wonder if it |
33 |
would be constructive to ask some pointed questions that get to the |
34 |
heart of the matter: |
35 |
|
36 |
|
37 |
What should be the extent of gentoo's social responsibility to insure |
38 |
the security and integrity of its software? How can this be made |
39 |
transparent to users? Are security ethics worthy of mention in the |
40 |
social contract? |
41 |
|
42 |
Is there a written policy for determining what issues warrant the |
43 |
issuance of a GLSA? If so, where? If not, should there be? |
44 |
|
45 |
What part does security -- and by this, I mean security as a concept, as |
46 |
an important consideration that keeps the Internet from imploding as |
47 |
well as keeping nasty things away from our workstations -- play in the |
48 |
gentoo philosophy? Does gentoo believe that security is a point of |
49 |
primary importance to an OS? (surely yes!) Should some mention of this |
50 |
be included in our philosophy statement? |
51 |
|
52 |
What does the gentoo developer handbook have to say about security? |
53 |
Should it address the security expectations we have of software developers? |
54 |
|
55 |
What about users who lack the technical ability to "fix it themselves"? |
56 |
Do we just want them to go back to Windoze, since they don't know any |
57 |
python or C? Or do we have a rudimentary obligation to provide them |
58 |
with some (how much?) degree of security out of the box? How should we |
59 |
inform users of what to expect? |
60 |
|
61 |
To what extent should the community be involved in managing security |
62 |
issues? What mechanisms exist for this? Should there be a more |
63 |
streamlined way for users to see what the status of current security |
64 |
efforts is? |
65 |
|
66 |
Is there a set of criteria we can agree on that might aid us in |
67 |
assessing the severity of a threat and need for a fix, in a way that is |
68 |
reasonable and fair? How are potential threats currently assessed? |
69 |
What should someone do if they think a serious problem is being |
70 |
overlooked or actively ignored? Is there a way to set up some |
71 |
protocols/procedures that might avoid this kind of flame war in the future? |
72 |
|
73 |
|
74 |
I hope no one sees this as trolling. I'm not trying to start another |
75 |
flame war, but I think these are all fundamental, legitimate questions |
76 |
raised by this thread. Where exactly _does_ the gentoo project stand on |
77 |
security? And how do I find out? This is a key piece of missing |
78 |
perspective. |
79 |
|
80 |
|
81 |
|
82 |
Cheers, |
83 |
|
84 |
|
85 |
|
86 |
-C- |
87 |
|
88 |
|
89 |
PS - In the midst of all the (much-deserved!) dev glorification, I want |
90 |
to also thank Peter for sticking to his convictions and moving this |
91 |
issue forward. |