1 |
On 2020-04-07 12:35, Alessandro Barbieri wrote: |
2 |
> What about moving all of these binary-only packages in an official overlay |
3 |
> (made for the scope) or in GURU? |
4 |
|
5 |
And which problem is that going to solve? |
6 |
|
7 |
Do we want to tell world, "Look! Gentoo is the most secure distribution! |
8 |
We have zero vulnerabilities*!" |
9 |
|
10 |
*Because we move vulnerable packages to an overlay! |
11 |
|
12 |
Please, don't get me wrong. But the whole thread looks like pure |
13 |
activism to me. It looks like most people don't understand any details |
14 |
but have the feeling "but we must do *anything*". This ignores the fact, |
15 |
that most discussed issues in Zoom for example are found/caused by the |
16 |
installer. Something we don't have in the Linux version. Or requires |
17 |
write access into Zoom application directory which also doesn't affect |
18 |
us (this is BTW a can Google opened years ago when they tried to get |
19 |
market shares and were looking for a way to allow users to just install |
20 |
their software without asking their IT department. Since then it became |
21 |
'normal' to install software in user profile. The problem: This allows |
22 |
any user process to modify these files, plant exploits to abuse |
23 |
vulnerable loaders and stuff like that you don't have when you do proper |
24 |
ACLs). |
25 |
|
26 |
Regarding bin/non-bin: Software has bugs. Some software tends to have |
27 |
more issues. Just because we have the source code and compile software |
28 |
on user's system doesn't make the application itself more secure than |
29 |
the provided binary package. |
30 |
|
31 |
|
32 |
-- |
33 |
Regards, |
34 |
Thomas Deutschmann / Gentoo Linux Developer |
35 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |