| 1 |
On 2020-04-07 12:35, Alessandro Barbieri wrote: |
| 2 |
> What about moving all of these binary-only packages in an official overlay |
| 3 |
> (made for the scope) or in GURU? |
| 4 |
|
| 5 |
And which problem is that going to solve? |
| 6 |
|
| 7 |
Do we want to tell world, "Look! Gentoo is the most secure distribution! |
| 8 |
We have zero vulnerabilities*!" |
| 9 |
|
| 10 |
*Because we move vulnerable packages to an overlay! |
| 11 |
|
| 12 |
Please, don't get me wrong. But the whole thread looks like pure |
| 13 |
activism to me. It looks like most people don't understand any details |
| 14 |
but have the feeling "but we must do *anything*". This ignores the fact, |
| 15 |
that most discussed issues in Zoom for example are found/caused by the |
| 16 |
installer. Something we don't have in the Linux version. Or requires |
| 17 |
write access into Zoom application directory which also doesn't affect |
| 18 |
us (this is BTW a can Google opened years ago when they tried to get |
| 19 |
market shares and were looking for a way to allow users to just install |
| 20 |
their software without asking their IT department. Since then it became |
| 21 |
'normal' to install software in user profile. The problem: This allows |
| 22 |
any user process to modify these files, plant exploits to abuse |
| 23 |
vulnerable loaders and stuff like that you don't have when you do proper |
| 24 |
ACLs). |
| 25 |
|
| 26 |
Regarding bin/non-bin: Software has bugs. Some software tends to have |
| 27 |
more issues. Just because we have the source code and compile software |
| 28 |
on user's system doesn't make the application itself more secure than |
| 29 |
the provided binary package. |
| 30 |
|
| 31 |
|
| 32 |
-- |
| 33 |
Regards, |
| 34 |
Thomas Deutschmann / Gentoo Linux Developer |
| 35 |
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 |
Archives