Gentoo Archives: gentoo-dev

From: Rich Freeman <rich0@g.o>
To: gentoo-dev <gentoo-dev@l.g.o>
Subject: Re: [gentoo-dev] Vanilla sources
Date: Sat, 04 Jan 2020 12:54:25
Message-Id: CAGfcS_kxafwfFuV+n=SdgwSaGdBHapRnvotiDoStmgZuWHeHtA@mail.gmail.com
In Reply to: Re: [gentoo-dev] Vanilla sources by Roy Bamford
1 On Sat, Jan 4, 2020 at 6:42 AM Roy Bamford <neddyseagoon@g.o> wrote:
2 >
3 > On 2020.01.04 11:01, Rich Freeman wrote:
4 > >
5 > > Is there some reason that we should keep vanilla sources despite not
6 > > getting security handling?
7 > >
8 >
9 > Gentoo had this discussion before. The outcome was that
10 > vanilla-sources is just as Linus intended.
11 > If Gentoo did anything to it, it wouldn't be vanilla any longer.
12
13 Obviously. I wasn't suggesting that we keep vanilla sources but not
14 make them vanilla. That doesn't mean that they couldn't be
15 security-supported, or that we have to have them in the repo.
16
17 > Yes, it should be kept. We should not force users to learn
18 > git or tar.
19
20 Uh, all it does is install kernel sources. They're useless unless you
21 build a kernel using them.
22
23 Apparently git and tar are too complicated for Gentoo users, but
24 managing symlinks, using make, managing a bootloader, dealing with the
25 kernel's configuration system, and so on are just fine?
26
27 I completely get the point of the distribution kernel project that was
28 just announced, as I already said.
29
30 > I agree git or a tarball of vanilla-sources is faster and more
31 > efficient but that's not a reason to drop it.
32 > By the same argument we could drop linux-firmware too.
33 > There are probably other packages that only install whatever
34 > they fetch. Could they be dropped?
35
36 So, a few issues with that argument:
37
38 1. Those other packages are security supported.
39 2. Those other packages are largely functional once installed, and to
40 the degree that they require configuration that is generally one-time
41 and after updates they remain functional.
42
43 All that said, it seems like vanilla-sources is pretty up-to-date, so
44 I'm not sure what we mean by it not being security supported. I just
45 took that as a given. Does that mean that we're not releasing patches
46 before upstream? If so, that seems like a pretty minor issue since
47 upstream generally does security bumps pretty quickly. 4.4.208 isn't
48 in our repo but was released today - I'm not sure how quickly these
49 get bumped. If our repo could be days behind that is definitely
50 another reason not to host this stuff, as users should be directed
51 upstream if our packages aren't security supported.
52
53 On a further aside, I just noticed how up-to-date gentoo-sources are.
54 Kudos to whoever is doing that these days - for a while it was tending
55 to slip a bit but it seems like we're basically current.
56
57 --
58 Rich

Replies

Subject Author
Re: [gentoo-dev] Vanilla sources Roy Bamford <neddyseagoon@g.o>
Re: [gentoo-dev] Vanilla sources Christopher Head <chead@×××××.ca>