| 1 |
On Tuesday, January 3, 2017 10:23:02 AM EST Rich Freeman wrote: |
| 2 |
> On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mikemol@×××××.com> wrote: |
| 3 |
> > For security's sake, even mature software needs, at minimum, routine |
| 4 |
> > auditing. Unless someone's doing that work, the package should be |
| 5 |
> > considered for removal. (Call that reason # π, in honor of TeX.) |
| 6 |
> |
| 7 |
> Are you suggesting that we should ban any package from the tree if we |
| 8 |
> don't have evidence of it having recently being subjected to a |
| 9 |
> security audit? |
| 10 |
|
| 11 |
Of course not. Full security audits are stupid expensive, be it in terms of |
| 12 |
money, time or labor. It Would Be Nice if they at least periodically got |
| 13 |
subjected to -Werror -Wall from time to time, or at least a linter check, or |
| 14 |
some tie-in to Coverity, with the results considered, but even that's going to |
| 15 |
be too much to ask an upstream to accept patches for. |
| 16 |
|
| 17 |
Besides, there are going to be vulnerabilities that come from combinations of |
| 18 |
packages and their environments; something that's fine on x86 might have a |
| 19 |
critical vulnerability on arm. Something that's fine on x86_64 might have a bug |
| 20 |
that only presents itself in a constrained address space like x86. Something |
| 21 |
that's generally fine on its own might have a subtle bug that only manifests |
| 22 |
when a particular version of another package's headers are present at build |
| 23 |
time. |
| 24 |
|
| 25 |
It's ludicrous to be absolutist about security. As I remarked to someone the |
| 26 |
other day, there are always more things to fix or secure than you'll have |
| 27 |
resources to follow though on. If someone one think a system is as secure as |
| 28 |
it can possibly be, then they're not as clever as they think they are. |
| 29 |
|
| 30 |
> We might literally have 3 packages left in the tree |
| 31 |
> in that case, probably not including the kernel (forget the GNU/Linux |
| 32 |
> debate, we might be neither). |
| 33 |
> |
| 34 |
> The fact that a project gets 47 commits and 100 list posts a week |
| 35 |
> doesn't mean that it is being security audited, or that security is |
| 36 |
> any kind of serious consideration in how their workflow operates. |
| 37 |
|
| 38 |
I'm sure we all remember Heartbleed. |
| 39 |
|
| 40 |
> |
| 41 |
> I tend to be firmly in the camp that a package shouldn't be removed |
| 42 |
> unless there is evidence of a serious bug (and that includes things |
| 43 |
> blocking other Gentoo packages). If somebody wants to come up with a |
| 44 |
> "curated" overlay or some way of tagging packages that are considered |
| 45 |
> extra-secure that would be a nice value-add, |
| 46 |
|
| 47 |
Ideas like this is one reason I'm looking for a corpus of pros and cons for |
| 48 |
treecleaning. I don't see it as black and white. But having ideas like these |
| 49 |
brought up is at least useful. |
| 50 |
|
| 51 |
> but routine auditing is |
| 52 |
> not a guarantee we provide to our users. The lack of such an audit |
| 53 |
> should not be a reason to treeclean. |
| 54 |
|
| 55 |
I'm not trying to drive a "clean all the things" campaign. Rather, I'm |
| 56 |
principally interested in having a list of the standard arguments one way or |
| 57 |
another, for reference in the inevitable "why should this get cleaned up? It |
| 58 |
works." threads. |
| 59 |
|
| 60 |
There's an old joke that goes something like this: |
| 61 |
|
| 62 |
> Joe is going to his first comedian's convention. He's excited to see all |
| 63 |
> these funny people in person. |
| 64 |
|
| 65 |
> The opening session begins with Robert, who gets up and says, "42!" Everyone |
| 66 |
> busts a gut laughing. Then Susan gets up and says, "73!" Again, everyone |
| 67 |
> laughs. |
| 68 |
|
| 69 |
> Joe asks the guy next to him, "What's going on? I don't get it." |
| 70 |
|
| 71 |
> "Oh, you see, everyone's heard all the same jokes over and over, so to save |
| 72 |
time, they reference them by number." |
| 73 |
|
| 74 |
> "Ah! Let me give it a try." |
| 75 |
|
| 76 |
> Joe stands up and says, "3!" Nobody laughs. Embarassed, Joe sits back down. |
| 77 |
|
| 78 |
> "I don't understand," Joe says to the guy next to him. Why didn't anyone |
| 79 |
> laugh? Was 3 a poor joke? |
| 80 |
|
| 81 |
> "Oh, no, 3 is fine, but the key is in the timing!" |
| 82 |
|
| 83 |
Essentially, I'm looking for the joke book. Because these recurring threads |
| 84 |
would be a lot more interesting and less time-consuming and frictive if |
| 85 |
recurring material could be quickly identified and referenced. And then someone |
| 86 |
who still has a point to make can say, "Well, 3 is more important than 7, and |
| 87 |
here's why." And then have less spilling of words and boiling of blood |
| 88 |
irritating everyone and hardening positions before we get to consider |
| 89 |
something new. |
Archives