1 |
On Tuesday, January 3, 2017 10:23:02 AM EST Rich Freeman wrote: |
2 |
> On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mikemol@×××××.com> wrote: |
3 |
> > For security's sake, even mature software needs, at minimum, routine |
4 |
> > auditing. Unless someone's doing that work, the package should be |
5 |
> > considered for removal. (Call that reason # π, in honor of TeX.) |
6 |
> |
7 |
> Are you suggesting that we should ban any package from the tree if we |
8 |
> don't have evidence of it having recently being subjected to a |
9 |
> security audit? |
10 |
|
11 |
Of course not. Full security audits are stupid expensive, be it in terms of |
12 |
money, time or labor. It Would Be Nice if they at least periodically got |
13 |
subjected to -Werror -Wall from time to time, or at least a linter check, or |
14 |
some tie-in to Coverity, with the results considered, but even that's going to |
15 |
be too much to ask an upstream to accept patches for. |
16 |
|
17 |
Besides, there are going to be vulnerabilities that come from combinations of |
18 |
packages and their environments; something that's fine on x86 might have a |
19 |
critical vulnerability on arm. Something that's fine on x86_64 might have a bug |
20 |
that only presents itself in a constrained address space like x86. Something |
21 |
that's generally fine on its own might have a subtle bug that only manifests |
22 |
when a particular version of another package's headers are present at build |
23 |
time. |
24 |
|
25 |
It's ludicrous to be absolutist about security. As I remarked to someone the |
26 |
other day, there are always more things to fix or secure than you'll have |
27 |
resources to follow though on. If someone one think a system is as secure as |
28 |
it can possibly be, then they're not as clever as they think they are. |
29 |
|
30 |
> We might literally have 3 packages left in the tree |
31 |
> in that case, probably not including the kernel (forget the GNU/Linux |
32 |
> debate, we might be neither). |
33 |
> |
34 |
> The fact that a project gets 47 commits and 100 list posts a week |
35 |
> doesn't mean that it is being security audited, or that security is |
36 |
> any kind of serious consideration in how their workflow operates. |
37 |
|
38 |
I'm sure we all remember Heartbleed. |
39 |
|
40 |
> |
41 |
> I tend to be firmly in the camp that a package shouldn't be removed |
42 |
> unless there is evidence of a serious bug (and that includes things |
43 |
> blocking other Gentoo packages). If somebody wants to come up with a |
44 |
> "curated" overlay or some way of tagging packages that are considered |
45 |
> extra-secure that would be a nice value-add, |
46 |
|
47 |
Ideas like this is one reason I'm looking for a corpus of pros and cons for |
48 |
treecleaning. I don't see it as black and white. But having ideas like these |
49 |
brought up is at least useful. |
50 |
|
51 |
> but routine auditing is |
52 |
> not a guarantee we provide to our users. The lack of such an audit |
53 |
> should not be a reason to treeclean. |
54 |
|
55 |
I'm not trying to drive a "clean all the things" campaign. Rather, I'm |
56 |
principally interested in having a list of the standard arguments one way or |
57 |
another, for reference in the inevitable "why should this get cleaned up? It |
58 |
works." threads. |
59 |
|
60 |
There's an old joke that goes something like this: |
61 |
|
62 |
> Joe is going to his first comedian's convention. He's excited to see all |
63 |
> these funny people in person. |
64 |
|
65 |
> The opening session begins with Robert, who gets up and says, "42!" Everyone |
66 |
> busts a gut laughing. Then Susan gets up and says, "73!" Again, everyone |
67 |
> laughs. |
68 |
|
69 |
> Joe asks the guy next to him, "What's going on? I don't get it." |
70 |
|
71 |
> "Oh, you see, everyone's heard all the same jokes over and over, so to save |
72 |
time, they reference them by number." |
73 |
|
74 |
> "Ah! Let me give it a try." |
75 |
|
76 |
> Joe stands up and says, "3!" Nobody laughs. Embarassed, Joe sits back down. |
77 |
|
78 |
> "I don't understand," Joe says to the guy next to him. Why didn't anyone |
79 |
> laugh? Was 3 a poor joke? |
80 |
|
81 |
> "Oh, no, 3 is fine, but the key is in the timing!" |
82 |
|
83 |
Essentially, I'm looking for the joke book. Because these recurring threads |
84 |
would be a lot more interesting and less time-consuming and frictive if |
85 |
recurring material could be quickly identified and referenced. And then someone |
86 |
who still has a point to make can say, "Well, 3 is more important than 7, and |
87 |
here's why." And then have less spilling of words and boiling of blood |
88 |
irritating everyone and hardening positions before we get to consider |
89 |
something new. |