1 |
On 01/03/2017 10:41 AM, Alice Ferrazzi wrote: |
2 |
> On Wed, Jan 4, 2017 at 12:23 AM, Rich Freeman <rich0@g.o> wrote: |
3 |
>> On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mikemol@×××××.com> wrote: |
4 |
>>> |
5 |
>>> For security's sake, even mature software needs, at minimum, routine auditing. |
6 |
>>> Unless someone's doing that work, the package should be considered for |
7 |
>>> removal. (Call that reason # π, in honor of TeX.) |
8 |
>>> |
9 |
>> |
10 |
>> Are you suggesting that we should ban any package from the tree if we |
11 |
>> don't have evidence of it having recently being subjected to a |
12 |
>> security audit? We might literally have 3 packages left in the tree |
13 |
>> in that case, probably not including the kernel (forget the GNU/Linux |
14 |
>> debate, we might be neither). |
15 |
>> |
16 |
>> The fact that a project gets 47 commits and 100 list posts a week |
17 |
>> doesn't mean that it is being security audited, or that security is |
18 |
>> any kind of serious consideration in how their workflow operates. |
19 |
>> |
20 |
>> I tend to be firmly in the camp that a package shouldn't be removed |
21 |
>> unless there is evidence of a serious bug (and that includes things |
22 |
>> blocking other Gentoo packages). If somebody wants to come up with a |
23 |
>> "curated" overlay or some way of tagging packages that are considered |
24 |
>> extra-secure that would be a nice value-add, but routine auditing is |
25 |
>> not a guarantee we provide to our users. The lack of such an audit |
26 |
>> should not be a reason to treeclean. |
27 |
> |
28 |
> +1 |
29 |
|
30 |
>> Rich |
31 |
|
32 |
Not only do I agree with those sentiments express here (Rich's |
33 |
sentiments), I have an additional prospective. I have been deeply |
34 |
following the development of clusters, particularly "in-house" clusters |
35 |
run on less than a dozen systems. There are an endless number of uses |
36 |
for such clusters, kinda like the modern version of when "X" servers |
37 |
were all the rage decades (and decades) ago, at the very least. In fact |
38 |
the cluster space for in-house clusters, imho, will eventually end up, |
39 |
being a collection of tarballs (stage-4s in gentoo case) that are |
40 |
customized for thousands of finely tuned, secure needs. "Unikernels" is |
41 |
the current buzzword, that docker and others have been using. [1] and |
42 |
have a tightly and minimized framework. Folks that work for "Cloud |
43 |
Vendors" should understand that if individuals and small companies are |
44 |
able to build and run localize, small clusters, then is very easy and |
45 |
comfortable for them to expand into hybrid clusters and become |
46 |
comfortable with outsourcing to the cloud. Many larger companies I |
47 |
consult with or have conversations with, are still uncomfortable with |
48 |
"cloud" anything. In-house clusters are the gateway to growing the |
49 |
entire cloud business, imho. |
50 |
|
51 |
|
52 |
Many of those old and stable codes, that lots of folks are so keen on |
53 |
purging from the tree, are actually quite useful and easy to secure, |
54 |
for such custom frameworks. Those frameworks can easily be packaged up |
55 |
into a stage-4 or a forked gentoo distro or implemented via any number |
56 |
of deployment methods, included CoreOS's fleet, recently added to |
57 |
portage. Security is the pivotal issue with clusters, whether they are |
58 |
in-house or outsourced (the cloud/Paas/Saas/etc) imho. |
59 |
|
60 |
|
61 |
So keeping those old codes around makes my life easier and more |
62 |
interesting. Sure I can go to these old codes and resurrect most, as |
63 |
needed, but why be vindictive by purging things that are old? Does the |
64 |
younger and more progressive devs in gentoo really want to purge old |
65 |
C-hacks like me from the community? I do not mean to offend anyone, but |
66 |
it just seems to me to be just plain unjustified purging useful that are |
67 |
currently not popular codes, and that hurts me on a personal basis. Us |
68 |
'old farts' are the unix historians, here at gentoo; perhaps the more |
69 |
aggressive devs will consider being 'politically correct' towards old |
70 |
farts that have decades and decades of history, with these old codes? |
71 |
|
72 |
|
73 |
Newer codes are valuable too, but often they add a layer of complexity |
74 |
and many attack surfaces, that older codes do not suffer from. So, I |
75 |
would hope we err on the side of keeping ebuilds of old codes around as |
76 |
long as possible, despite the download count. My work is liable to take |
77 |
another year or two to bear fruit, but that's not even the point. I |
78 |
would be excited if we could just move these old packages to an overlay, |
79 |
if/when they do have to be pruned from the gentoo-proper tree. Perhaps |
80 |
the new GLEP on formalizing forking gentoo, will lead to a gentoo-legacy |
81 |
fork, just for historical and nostalgic reasons? |
82 |
|
83 |
|
84 |
I'm betting that these old codes are much more useful than most have |
85 |
figured, but it's going to take some time to establish this performance |
86 |
and superior security postulate, as I use 'old-fart' methodologies..... |
87 |
|
88 |
|
89 |
hth, |
90 |
James |
91 |
|
92 |
[1] http://unikernel.org/blog/2015/unikernels-meet-docker |