1 |
On 07/05/2016 06:25 AM, Rich Freeman wrote: |
2 |
> On Mon, Jul 4, 2016 at 11:26 PM, Aaron Bauman <bman@g.o> wrote: |
3 |
>> |
4 |
>> The subject of this particular mailing list post is a little alarming and |
5 |
>> over reactive. We are not running around p.masking everyone's packages, but |
6 |
>> issues that have been outstanding for years often result in such courses of |
7 |
>> action. I personally told Anthony I should have requested his assistance |
8 |
>> initially on the matter, and I do apologize for that. He is an active |
9 |
>> developer who would respond in a timely manner. So once again, I do |
10 |
>> apologize. |
11 |
> |
12 |
> Thanks, and my intent wasn't to suggest that I thought there was any |
13 |
> kind of a trend here. I just wanted to agree that this shouldn't be |
14 |
> how it happens. It sounds like we're already on the same page, which |
15 |
> isn't surprising since this was the first complaint I've heard in a |
16 |
> while. |
17 |
> |
18 |
>> Finally, that does not dissolve the developer of providing usable, |
19 |
>> substantiated, and verifiable information regarding the vulnerabilities. |
20 |
>> The idea that a developer gets to choose whether or not they do so should |
21 |
>> not be considered. |
22 |
> |
23 |
> Also agree. I think we need to have a reasonable security policy, but |
24 |
> clearly there can't be unresolved questions about whether a particular |
25 |
> package-version is vulnerable or not. If we don't get a question like |
26 |
> that resolved in a timely manner then the version should be masked. |
27 |
> Users can then make an informed decision as to whether they want to |
28 |
> take the risk in unmasking it. |
29 |
> |
30 |
> Our security policies are a tree-wide QA commitment that our users |
31 |
> rely on. We shouldn't advertise a security policy that we aren't |
32 |
> willing to enforce. |
33 |
|
34 |
As an old C hack, and user of gentoo for over a decade, I understand the |
35 |
positions being articulated herein. However, I think there is a |
36 |
fundamental perspective that is missing, so I shall attempt to |
37 |
illuminate that perspective. 'C' is still a magical and most important |
38 |
language. It is the transitive language between large, complicated |
39 |
systems, and hardware. Like it or not, without hardware, there are no |
40 |
systems. |
41 |
|
42 |
There are many new and modern languages with wonderful features. I get |
43 |
that, and appreciated that they are needed and desired. But modern |
44 |
(security and usefulness) metrics are being applied to old codes that |
45 |
are useful for a variety of reasons, beyond compiling them and using them. |
46 |
|
47 |
There is an intersection between minimal unix (minimal gentoo in our |
48 |
case) and embedded systems. Docker, many would cite as the leader in |
49 |
commercial container deployments, has realized that minimal is better, |
50 |
faster, easier to secure and can always be 'scaled up' by adding more |
51 |
codes (hence they subsumed Alpine Linux). |
52 |
|
53 |
Gentoo has a rich, legacy in old, simpler codes that bridge embedded |
54 |
linux to (bloated/full-featured) linux. Those old codes that appear to |
55 |
many as useless, indeed form a narrow bridge to both the past and the |
56 |
logic/tricks/methods to get various types of hardware working in a |
57 |
minimal or embedded environment. They are often 'single function' codes |
58 |
without the complexity of a gui or bloated formations. They are easy to |
59 |
read and with a CLI focus, allow a developer to see how some things |
60 |
work. Those old codes, folks are quick to purge now, often contain |
61 |
logical information on how to talk to hardware. (think ethernet for one). |
62 |
|
63 |
|
64 |
So when we had 'the attic' I was fine with codes being purged by |
65 |
whomever. There is no easy to use equivalent in github (and believe me, |
66 |
I'm a noooooob at github), so I have much anxiety about what, from my |
67 |
perspective, appears to be needless purging of many old codes. I have no |
68 |
problem with removal from the official tree, but I'd like to keep them |
69 |
around, regardless of any security, brokeness or un-maintained status. |
70 |
I completely OK with tree-cleaning, just a soon as the ink dries on the |
71 |
new wiki pages that guarantee archival of old codes. Security, is |
72 |
important, but not the main issue from my perspective. Maintenance of |
73 |
old codes, particularly written in C and related to hardware or logic of |
74 |
minimal systems, is keenly important to me. If gentoo remains 'a good |
75 |
stuart' of these codes, it just another mechanism |
76 |
to distinguish our distro, imho. |
77 |
|
78 |
So I would ask (beg if necessary) the kind folks that are the gentoo |
79 |
devs to figure out a way to archive those old codes, and document how to |
80 |
retrieve them, via github, as the attic too is probably like sunrise and |
81 |
such, headed towards deprecation and the chopping block..... |
82 |
|
83 |
|
84 |
Thanks, |
85 |
James |