1 |
paul kölle wrote: |
2 |
> José González Gómez schrieb: |
3 |
>> I would like to make a proposal here. What if no longer mantained |
4 |
>> ebuilds were marked but not deleted? Let's say you have _x86 in |
5 |
>> KEYWORDS for ebuilds/packages no longer mantained, that emerge is |
6 |
>> aware of that and can inform us of this and that those ebuilds are |
7 |
>> mantained in the portage tree for, let's say, a year WITH NO SECURITY |
8 |
>> BACKPORTS on them. This would be kind of a end of life notice that |
9 |
>> gives you some time to react. This way you still would be able to use |
10 |
>> the ebuild at your own risk, and this wouldn't represent much extra |
11 |
>> work load for the Gentoo devs, as the deletion process could be |
12 |
>> automatic with the use of some scripts. What do you think? |
13 |
> You need package manager support for a new KEYWORD. The simplest |
14 |
> solution IMO is setting up a "server" overlay on overlays.gentoo.org. |
15 |
> That could be used for keeping old packages around and adding new |
16 |
> packages/features that could be interesting in a server environment. |
17 |
> |
18 |
|
19 |
I am not sure about it, but I think that there are no GLSAs published |
20 |
for deleted packages, so you would effectively not know if there was a |
21 |
security problem. By the nature of how GLSAs are written, it might still |
22 |
be that your version is marked as being vulnerable. (Most of the time it |
23 |
is "<specific-version") |
24 |
Also, if you update only once in a while, and just for GLSAs, there will |
25 |
be a lot of depencies which also would _have_ to be updated. I think |
26 |
that there are simply not the ressources there, but on the other hand, |
27 |
there are quite a few using gentoo in larger environments, so most |
28 |
likely they are doing exactly what most people want, and maybe some |
29 |
process might be initiated so that it would become easier for them to |
30 |
give their knowledge back to the community. |
31 |
On the other hand have I never tried to keep a somewhat stable |
32 |
environment, so I am not absolutely sure of the work involved. But I |
33 |
think that gentoo being a somewhat fast-moving target, it will be more |
34 |
work than with binary distributions like debian, where there is a single |
35 |
frozen point which is called stable and there are just security updates |
36 |
for those exact packages. If you start doing that with the 10th of |
37 |
versions available for about everything in portage, it has to be a lot |
38 |
more work. Well, would be easier to discuss this in rl. |
39 |
|
40 |
Greetings, |
41 |
|
42 |
Jonas |
43 |
-- |
44 |
gentoo-server@g.o mailing list |