1 |
On Sat, Jan 4, 2020 at 6:42 AM Roy Bamford <neddyseagoon@g.o> wrote: |
2 |
> |
3 |
> On 2020.01.04 11:01, Rich Freeman wrote: |
4 |
> > |
5 |
> > Is there some reason that we should keep vanilla sources despite not |
6 |
> > getting security handling? |
7 |
> > |
8 |
> |
9 |
> Gentoo had this discussion before. The outcome was that |
10 |
> vanilla-sources is just as Linus intended. |
11 |
> If Gentoo did anything to it, it wouldn't be vanilla any longer. |
12 |
|
13 |
Obviously. I wasn't suggesting that we keep vanilla sources but not |
14 |
make them vanilla. That doesn't mean that they couldn't be |
15 |
security-supported, or that we have to have them in the repo. |
16 |
|
17 |
> Yes, it should be kept. We should not force users to learn |
18 |
> git or tar. |
19 |
|
20 |
Uh, all it does is install kernel sources. They're useless unless you |
21 |
build a kernel using them. |
22 |
|
23 |
Apparently git and tar are too complicated for Gentoo users, but |
24 |
managing symlinks, using make, managing a bootloader, dealing with the |
25 |
kernel's configuration system, and so on are just fine? |
26 |
|
27 |
I completely get the point of the distribution kernel project that was |
28 |
just announced, as I already said. |
29 |
|
30 |
> I agree git or a tarball of vanilla-sources is faster and more |
31 |
> efficient but that's not a reason to drop it. |
32 |
> By the same argument we could drop linux-firmware too. |
33 |
> There are probably other packages that only install whatever |
34 |
> they fetch. Could they be dropped? |
35 |
|
36 |
So, a few issues with that argument: |
37 |
|
38 |
1. Those other packages are security supported. |
39 |
2. Those other packages are largely functional once installed, and to |
40 |
the degree that they require configuration that is generally one-time |
41 |
and after updates they remain functional. |
42 |
|
43 |
All that said, it seems like vanilla-sources is pretty up-to-date, so |
44 |
I'm not sure what we mean by it not being security supported. I just |
45 |
took that as a given. Does that mean that we're not releasing patches |
46 |
before upstream? If so, that seems like a pretty minor issue since |
47 |
upstream generally does security bumps pretty quickly. 4.4.208 isn't |
48 |
in our repo but was released today - I'm not sure how quickly these |
49 |
get bumped. If our repo could be days behind that is definitely |
50 |
another reason not to host this stuff, as users should be directed |
51 |
upstream if our packages aren't security supported. |
52 |
|
53 |
On a further aside, I just noticed how up-to-date gentoo-sources are. |
54 |
Kudos to whoever is doing that these days - for a while it was tending |
55 |
to slip a bit but it seems like we're basically current. |
56 |
|
57 |
-- |
58 |
Rich |