| 1 |
On 01/03/2017 10:41 AM, Alice Ferrazzi wrote: |
| 2 |
> On Wed, Jan 4, 2017 at 12:23 AM, Rich Freeman <rich0@g.o> wrote: |
| 3 |
>> On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mikemol@×××××.com> wrote: |
| 4 |
>>> |
| 5 |
>>> For security's sake, even mature software needs, at minimum, routine auditing. |
| 6 |
>>> Unless someone's doing that work, the package should be considered for |
| 7 |
>>> removal. (Call that reason # π, in honor of TeX.) |
| 8 |
>>> |
| 9 |
>> |
| 10 |
>> Are you suggesting that we should ban any package from the tree if we |
| 11 |
>> don't have evidence of it having recently being subjected to a |
| 12 |
>> security audit? We might literally have 3 packages left in the tree |
| 13 |
>> in that case, probably not including the kernel (forget the GNU/Linux |
| 14 |
>> debate, we might be neither). |
| 15 |
>> |
| 16 |
>> The fact that a project gets 47 commits and 100 list posts a week |
| 17 |
>> doesn't mean that it is being security audited, or that security is |
| 18 |
>> any kind of serious consideration in how their workflow operates. |
| 19 |
>> |
| 20 |
>> I tend to be firmly in the camp that a package shouldn't be removed |
| 21 |
>> unless there is evidence of a serious bug (and that includes things |
| 22 |
>> blocking other Gentoo packages). If somebody wants to come up with a |
| 23 |
>> "curated" overlay or some way of tagging packages that are considered |
| 24 |
>> extra-secure that would be a nice value-add, but routine auditing is |
| 25 |
>> not a guarantee we provide to our users. The lack of such an audit |
| 26 |
>> should not be a reason to treeclean. |
| 27 |
> |
| 28 |
> +1 |
| 29 |
|
| 30 |
>> Rich |
| 31 |
|
| 32 |
Not only do I agree with those sentiments express here (Rich's |
| 33 |
sentiments), I have an additional prospective. I have been deeply |
| 34 |
following the development of clusters, particularly "in-house" clusters |
| 35 |
run on less than a dozen systems. There are an endless number of uses |
| 36 |
for such clusters, kinda like the modern version of when "X" servers |
| 37 |
were all the rage decades (and decades) ago, at the very least. In fact |
| 38 |
the cluster space for in-house clusters, imho, will eventually end up, |
| 39 |
being a collection of tarballs (stage-4s in gentoo case) that are |
| 40 |
customized for thousands of finely tuned, secure needs. "Unikernels" is |
| 41 |
the current buzzword, that docker and others have been using. [1] and |
| 42 |
have a tightly and minimized framework. Folks that work for "Cloud |
| 43 |
Vendors" should understand that if individuals and small companies are |
| 44 |
able to build and run localize, small clusters, then is very easy and |
| 45 |
comfortable for them to expand into hybrid clusters and become |
| 46 |
comfortable with outsourcing to the cloud. Many larger companies I |
| 47 |
consult with or have conversations with, are still uncomfortable with |
| 48 |
"cloud" anything. In-house clusters are the gateway to growing the |
| 49 |
entire cloud business, imho. |
| 50 |
|
| 51 |
|
| 52 |
Many of those old and stable codes, that lots of folks are so keen on |
| 53 |
purging from the tree, are actually quite useful and easy to secure, |
| 54 |
for such custom frameworks. Those frameworks can easily be packaged up |
| 55 |
into a stage-4 or a forked gentoo distro or implemented via any number |
| 56 |
of deployment methods, included CoreOS's fleet, recently added to |
| 57 |
portage. Security is the pivotal issue with clusters, whether they are |
| 58 |
in-house or outsourced (the cloud/Paas/Saas/etc) imho. |
| 59 |
|
| 60 |
|
| 61 |
So keeping those old codes around makes my life easier and more |
| 62 |
interesting. Sure I can go to these old codes and resurrect most, as |
| 63 |
needed, but why be vindictive by purging things that are old? Does the |
| 64 |
younger and more progressive devs in gentoo really want to purge old |
| 65 |
C-hacks like me from the community? I do not mean to offend anyone, but |
| 66 |
it just seems to me to be just plain unjustified purging useful that are |
| 67 |
currently not popular codes, and that hurts me on a personal basis. Us |
| 68 |
'old farts' are the unix historians, here at gentoo; perhaps the more |
| 69 |
aggressive devs will consider being 'politically correct' towards old |
| 70 |
farts that have decades and decades of history, with these old codes? |
| 71 |
|
| 72 |
|
| 73 |
Newer codes are valuable too, but often they add a layer of complexity |
| 74 |
and many attack surfaces, that older codes do not suffer from. So, I |
| 75 |
would hope we err on the side of keeping ebuilds of old codes around as |
| 76 |
long as possible, despite the download count. My work is liable to take |
| 77 |
another year or two to bear fruit, but that's not even the point. I |
| 78 |
would be excited if we could just move these old packages to an overlay, |
| 79 |
if/when they do have to be pruned from the gentoo-proper tree. Perhaps |
| 80 |
the new GLEP on formalizing forking gentoo, will lead to a gentoo-legacy |
| 81 |
fork, just for historical and nostalgic reasons? |
| 82 |
|
| 83 |
|
| 84 |
I'm betting that these old codes are much more useful than most have |
| 85 |
figured, but it's going to take some time to establish this performance |
| 86 |
and superior security postulate, as I use 'old-fart' methodologies..... |
| 87 |
|
| 88 |
|
| 89 |
hth, |
| 90 |
James |
| 91 |
|
| 92 |
[1] http://unikernel.org/blog/2015/unikernels-meet-docker |
Archives