| 1 |
On 9/14/19 1:06 PM, Alec Warner wrote: |
| 2 |
> |
| 3 |
> - There appears to be some expectation that consensus is required on |
| 4 |
> the ML; this has (IMHO) never been true. The 'decider' for what to do |
| 5 |
> isn't the mailing list (by GLEP, it's the council). So this idea that |
| 6 |
> you can object on the ML and stop a thing isn't really something I'd be |
| 7 |
> counting on. Sometimes you convince the OP, and sometimes you don't. I |
| 8 |
> don't think you need to walk away sad when the latter happens. |
| 9 |
> |
| 10 |
|
| 11 |
I'm not going to cry about it or anything. I'm trying to explain my |
| 12 |
point of view. I regularly spend hours fixing little "quality of life" |
| 13 |
issues in Gentoo. It's not fun, and I wouldn't do it if I didn't think |
| 14 |
it was possible to make a difference. |
| 15 |
|
| 16 |
But things like this give impression that nobody cares, and that any |
| 17 |
time you spend trying to fix things is wasted: someone's going to be |
| 18 |
adding new bugs faster than you can fix the old ones. It's like trying |
| 19 |
to paint a mural that gets spray-painted over every night. Eventually |
| 20 |
the artist is going to decide that the people who live there deserve to |
| 21 |
look at the side of an abandoned building all day. |
| 22 |
|
| 23 |
I've filed ~100 bugs for minor security issues, like root exploits in |
| 24 |
config files, user-controlled binaries in /usr/bin, and race conditions |
| 25 |
in init scripts. But who actually gives a fuck about a race condition in |
| 26 |
an init script, when there are parts of the tree that get no security |
| 27 |
updates at all? It takes YEARS to find, report, and fix a single one of |
| 28 |
these issues. How long does it take to add a new Go package? |
| 29 |
|
| 30 |
It starts to feel like a losing battle. |
| 31 |
|
| 32 |
And I'm not throwing in the towel yet, but every time I essentially get |
| 33 |
told "nobody cares," I agree with this nobody person more and more. |
Archives