1 |
On Wed, Jan 4, 2017 at 12:23 AM, Rich Freeman <rich0@g.o> wrote: |
2 |
> On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mikemol@×××××.com> wrote: |
3 |
>> |
4 |
>> For security's sake, even mature software needs, at minimum, routine auditing. |
5 |
>> Unless someone's doing that work, the package should be considered for |
6 |
>> removal. (Call that reason # π, in honor of TeX.) |
7 |
>> |
8 |
> |
9 |
> Are you suggesting that we should ban any package from the tree if we |
10 |
> don't have evidence of it having recently being subjected to a |
11 |
> security audit? We might literally have 3 packages left in the tree |
12 |
> in that case, probably not including the kernel (forget the GNU/Linux |
13 |
> debate, we might be neither). |
14 |
> |
15 |
> The fact that a project gets 47 commits and 100 list posts a week |
16 |
> doesn't mean that it is being security audited, or that security is |
17 |
> any kind of serious consideration in how their workflow operates. |
18 |
> |
19 |
> I tend to be firmly in the camp that a package shouldn't be removed |
20 |
> unless there is evidence of a serious bug (and that includes things |
21 |
> blocking other Gentoo packages). If somebody wants to come up with a |
22 |
> "curated" overlay or some way of tagging packages that are considered |
23 |
> extra-secure that would be a nice value-add, but routine auditing is |
24 |
> not a guarantee we provide to our users. The lack of such an audit |
25 |
> should not be a reason to treeclean. |
26 |
|
27 |
+1 |
28 |
|
29 |
> |
30 |
> -- |
31 |
> Rich |
32 |
> |
33 |
|
34 |
|
35 |
|
36 |
-- |
37 |
アリス フェッラッシィ |
38 |
Alice Ferrazzi |
39 |
|
40 |
Gentoo, If it moves, compile it! |
41 |
My_overlay: https://github.com/aliceinwire/overlay |
42 |
Gentoo Euscan: http://goo.gl/YNbU3h |
43 |
Mail: Alice Ferrazzi <alicef@g.o> |
44 |
PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A |