1 |
On 9/14/19 1:06 PM, Alec Warner wrote: |
2 |
> |
3 |
> - There appears to be some expectation that consensus is required on |
4 |
> the ML; this has (IMHO) never been true. The 'decider' for what to do |
5 |
> isn't the mailing list (by GLEP, it's the council). So this idea that |
6 |
> you can object on the ML and stop a thing isn't really something I'd be |
7 |
> counting on. Sometimes you convince the OP, and sometimes you don't. I |
8 |
> don't think you need to walk away sad when the latter happens. |
9 |
> |
10 |
|
11 |
I'm not going to cry about it or anything. I'm trying to explain my |
12 |
point of view. I regularly spend hours fixing little "quality of life" |
13 |
issues in Gentoo. It's not fun, and I wouldn't do it if I didn't think |
14 |
it was possible to make a difference. |
15 |
|
16 |
But things like this give impression that nobody cares, and that any |
17 |
time you spend trying to fix things is wasted: someone's going to be |
18 |
adding new bugs faster than you can fix the old ones. It's like trying |
19 |
to paint a mural that gets spray-painted over every night. Eventually |
20 |
the artist is going to decide that the people who live there deserve to |
21 |
look at the side of an abandoned building all day. |
22 |
|
23 |
I've filed ~100 bugs for minor security issues, like root exploits in |
24 |
config files, user-controlled binaries in /usr/bin, and race conditions |
25 |
in init scripts. But who actually gives a fuck about a race condition in |
26 |
an init script, when there are parts of the tree that get no security |
27 |
updates at all? It takes YEARS to find, report, and fix a single one of |
28 |
these issues. How long does it take to add a new Go package? |
29 |
|
30 |
It starts to feel like a losing battle. |
31 |
|
32 |
And I'm not throwing in the towel yet, but every time I essentially get |
33 |
told "nobody cares," I agree with this nobody person more and more. |