| 1 |
paul kölle wrote: |
| 2 |
> José González Gómez schrieb: |
| 3 |
>> I would like to make a proposal here. What if no longer mantained |
| 4 |
>> ebuilds were marked but not deleted? Let's say you have _x86 in |
| 5 |
>> KEYWORDS for ebuilds/packages no longer mantained, that emerge is |
| 6 |
>> aware of that and can inform us of this and that those ebuilds are |
| 7 |
>> mantained in the portage tree for, let's say, a year WITH NO SECURITY |
| 8 |
>> BACKPORTS on them. This would be kind of a end of life notice that |
| 9 |
>> gives you some time to react. This way you still would be able to use |
| 10 |
>> the ebuild at your own risk, and this wouldn't represent much extra |
| 11 |
>> work load for the Gentoo devs, as the deletion process could be |
| 12 |
>> automatic with the use of some scripts. What do you think? |
| 13 |
> You need package manager support for a new KEYWORD. The simplest |
| 14 |
> solution IMO is setting up a "server" overlay on overlays.gentoo.org. |
| 15 |
> That could be used for keeping old packages around and adding new |
| 16 |
> packages/features that could be interesting in a server environment. |
| 17 |
> |
| 18 |
|
| 19 |
I am not sure about it, but I think that there are no GLSAs published |
| 20 |
for deleted packages, so you would effectively not know if there was a |
| 21 |
security problem. By the nature of how GLSAs are written, it might still |
| 22 |
be that your version is marked as being vulnerable. (Most of the time it |
| 23 |
is "<specific-version") |
| 24 |
Also, if you update only once in a while, and just for GLSAs, there will |
| 25 |
be a lot of depencies which also would _have_ to be updated. I think |
| 26 |
that there are simply not the ressources there, but on the other hand, |
| 27 |
there are quite a few using gentoo in larger environments, so most |
| 28 |
likely they are doing exactly what most people want, and maybe some |
| 29 |
process might be initiated so that it would become easier for them to |
| 30 |
give their knowledge back to the community. |
| 31 |
On the other hand have I never tried to keep a somewhat stable |
| 32 |
environment, so I am not absolutely sure of the work involved. But I |
| 33 |
think that gentoo being a somewhat fast-moving target, it will be more |
| 34 |
work than with binary distributions like debian, where there is a single |
| 35 |
frozen point which is called stable and there are just security updates |
| 36 |
for those exact packages. If you start doing that with the 10th of |
| 37 |
versions available for about everything in portage, it has to be a lot |
| 38 |
more work. Well, would be easier to discuss this in rl. |
| 39 |
|
| 40 |
Greetings, |
| 41 |
|
| 42 |
Jonas |
| 43 |
-- |
| 44 |
gentoo-server@g.o mailing list |
Archives