1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA512 |
3 |
|
4 |
On 09/30/2015 01:51 PM, Rich Freeman wrote: |
5 |
> On Wed, Sep 30, 2015 at 7:29 AM, Kristian Fiskerstrand |
6 |
> <k_f@g.o> wrote: |
7 |
>> |
8 |
>> The way I see it this is relevant to the discussion at hand. |
9 |
> |
10 |
> Admittedly it is a bit tangential, but it didn't seem worth |
11 |
> forking the thread over. Certainly I'm not going to invent my own |
12 |
> mailing list and post it there, and then post here to advertise it. |
13 |
> I doubt such a discussion will be all that welcome on the upstream |
14 |
> mailing list. |
15 |
> |
16 |
>> Or is this just increasing our maintenance, and security |
17 |
>> tracking, etc burdens without any strong benefits? |
18 |
> |
19 |
> I don't think that it is necessary to have a cost/benefit analysis |
20 |
> anytime somebody wants to introduce a new package in the tree. |
21 |
|
22 |
I certainly wouldn't mind some thought of the matter, although I agree |
23 |
there should be no formal requirement, but we are, after all, talking |
24 |
about a very central cryptographic and security library here. |
25 |
|
26 |
> |
27 |
> I think it was fair to pause to see if somebody could come up with |
28 |
> a better solution that allows co-existence, but absent that I |
29 |
> don't see any benefit from keeping libressl out of the tree. |
30 |
> We'll just experience all the downsides of the fork without the |
31 |
> upsides. |
32 |
|
33 |
This is what worries me as well, as it increase workload and |
34 |
complexity affecting multiple projects without any immediate and |
35 |
obvious gain. |
36 |
|
37 |
> |
38 |
> It might very well cost some of hasufell's time to maintain it, |
39 |
> but that is time he is freely offering, and it isn't like turning |
40 |
> him away is going to encourage him to spend more time on other |
41 |
> Gentoo features. Cost/benefit for a volunteer distro isn't a |
42 |
> zero-sum game the way it is if you're a manager of a 50-person |
43 |
> development team. |
44 |
|
45 |
Fair enough point, the effort is certainly appreciated. |
46 |
|
47 |
> |
48 |
> I'd love to see somebody come out with a better solution for this |
49 |
> sort of thing, and it probably would need to be bigger than Gentoo |
50 |
> to be truly effective. However, until such a solution comes along |
51 |
> I don't see the benefit of further delay. That's just my two |
52 |
> cents. |
53 |
|
54 |
Immediately I would think we'd need namespace isolation inspired by |
55 |
NixOS etc for this to work, but that isn't something that would easily |
56 |
be implemented and quite frankly would look scarily similar to Go's |
57 |
static linking and issues. |
58 |
|
59 |
In any case; I agree that we're not likely to come up with a good |
60 |
solution in the near future, so delaying it even further doesn't |
61 |
provide any benefit as introducing libressl to the tree seems likely |
62 |
in any case, as long as there is a dedicated effort in following up on |
63 |
issues related to it longer term. |
64 |
|
65 |
- -- |
66 |
Kristian Fiskerstrand |
67 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
68 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
69 |
-----BEGIN PGP SIGNATURE----- |
70 |
|
71 |
iQEcBAEBCgAGBQJWC9EmAAoJECULev7WN52FHaoH/ix5m3Jdep0TurwbDWtpfn3o |
72 |
+EIK7dPwhseYLFl2wpyrCSJHsvQDGbJ06/u2PpGktg264CdInIKjRkO5uKdW2x5t |
73 |
RZBT3WFT2e1mj0OfPjbdLCPWOssvfbvRG/3+Zp1onajbQltDIIBKEdJw9p/VoLgX |
74 |
mEpRRE5myUWzGwSG6+1kBVZHzL1V7MDnlujuGzdlL1FKvWUbl0Hxsp4ApHHwgIIS |
75 |
TotgJv+XmfCfhOy2Qh4IHlaW75KhhzFd0LpSQTZT2kI/0bTVGJR7StuP3d+M66Kg |
76 |
/Y4v6eoublTUoSPSd1Eo5hm9vZnGPSCCdLkvuuXDObgUCVJsdLWyEt8hD4OtFHI= |
77 |
=EerA |
78 |
-----END PGP SIGNATURE----- |