| 1 |
On Wed, Jan 4, 2017 at 12:23 AM, Rich Freeman <rich0@g.o> wrote: |
| 2 |
> On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mikemol@×××××.com> wrote: |
| 3 |
>> |
| 4 |
>> For security's sake, even mature software needs, at minimum, routine auditing. |
| 5 |
>> Unless someone's doing that work, the package should be considered for |
| 6 |
>> removal. (Call that reason # π, in honor of TeX.) |
| 7 |
>> |
| 8 |
> |
| 9 |
> Are you suggesting that we should ban any package from the tree if we |
| 10 |
> don't have evidence of it having recently being subjected to a |
| 11 |
> security audit? We might literally have 3 packages left in the tree |
| 12 |
> in that case, probably not including the kernel (forget the GNU/Linux |
| 13 |
> debate, we might be neither). |
| 14 |
> |
| 15 |
> The fact that a project gets 47 commits and 100 list posts a week |
| 16 |
> doesn't mean that it is being security audited, or that security is |
| 17 |
> any kind of serious consideration in how their workflow operates. |
| 18 |
> |
| 19 |
> I tend to be firmly in the camp that a package shouldn't be removed |
| 20 |
> unless there is evidence of a serious bug (and that includes things |
| 21 |
> blocking other Gentoo packages). If somebody wants to come up with a |
| 22 |
> "curated" overlay or some way of tagging packages that are considered |
| 23 |
> extra-secure that would be a nice value-add, but routine auditing is |
| 24 |
> not a guarantee we provide to our users. The lack of such an audit |
| 25 |
> should not be a reason to treeclean. |
| 26 |
|
| 27 |
+1 |
| 28 |
|
| 29 |
> |
| 30 |
> -- |
| 31 |
> Rich |
| 32 |
> |
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
-- |
| 37 |
アリス フェッラッシィ |
| 38 |
Alice Ferrazzi |
| 39 |
|
| 40 |
Gentoo, If it moves, compile it! |
| 41 |
My_overlay: https://github.com/aliceinwire/overlay |
| 42 |
Gentoo Euscan: http://goo.gl/YNbU3h |
| 43 |
Mail: Alice Ferrazzi <alicef@g.o> |
| 44 |
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A |
Archives