| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA512 |
| 3 |
|
| 4 |
On 09/30/2015 01:51 PM, Rich Freeman wrote: |
| 5 |
> On Wed, Sep 30, 2015 at 7:29 AM, Kristian Fiskerstrand |
| 6 |
> <k_f@g.o> wrote: |
| 7 |
>> |
| 8 |
>> The way I see it this is relevant to the discussion at hand. |
| 9 |
> |
| 10 |
> Admittedly it is a bit tangential, but it didn't seem worth |
| 11 |
> forking the thread over. Certainly I'm not going to invent my own |
| 12 |
> mailing list and post it there, and then post here to advertise it. |
| 13 |
> I doubt such a discussion will be all that welcome on the upstream |
| 14 |
> mailing list. |
| 15 |
> |
| 16 |
>> Or is this just increasing our maintenance, and security |
| 17 |
>> tracking, etc burdens without any strong benefits? |
| 18 |
> |
| 19 |
> I don't think that it is necessary to have a cost/benefit analysis |
| 20 |
> anytime somebody wants to introduce a new package in the tree. |
| 21 |
|
| 22 |
I certainly wouldn't mind some thought of the matter, although I agree |
| 23 |
there should be no formal requirement, but we are, after all, talking |
| 24 |
about a very central cryptographic and security library here. |
| 25 |
|
| 26 |
> |
| 27 |
> I think it was fair to pause to see if somebody could come up with |
| 28 |
> a better solution that allows co-existence, but absent that I |
| 29 |
> don't see any benefit from keeping libressl out of the tree. |
| 30 |
> We'll just experience all the downsides of the fork without the |
| 31 |
> upsides. |
| 32 |
|
| 33 |
This is what worries me as well, as it increase workload and |
| 34 |
complexity affecting multiple projects without any immediate and |
| 35 |
obvious gain. |
| 36 |
|
| 37 |
> |
| 38 |
> It might very well cost some of hasufell's time to maintain it, |
| 39 |
> but that is time he is freely offering, and it isn't like turning |
| 40 |
> him away is going to encourage him to spend more time on other |
| 41 |
> Gentoo features. Cost/benefit for a volunteer distro isn't a |
| 42 |
> zero-sum game the way it is if you're a manager of a 50-person |
| 43 |
> development team. |
| 44 |
|
| 45 |
Fair enough point, the effort is certainly appreciated. |
| 46 |
|
| 47 |
> |
| 48 |
> I'd love to see somebody come out with a better solution for this |
| 49 |
> sort of thing, and it probably would need to be bigger than Gentoo |
| 50 |
> to be truly effective. However, until such a solution comes along |
| 51 |
> I don't see the benefit of further delay. That's just my two |
| 52 |
> cents. |
| 53 |
|
| 54 |
Immediately I would think we'd need namespace isolation inspired by |
| 55 |
NixOS etc for this to work, but that isn't something that would easily |
| 56 |
be implemented and quite frankly would look scarily similar to Go's |
| 57 |
static linking and issues. |
| 58 |
|
| 59 |
In any case; I agree that we're not likely to come up with a good |
| 60 |
solution in the near future, so delaying it even further doesn't |
| 61 |
provide any benefit as introducing libressl to the tree seems likely |
| 62 |
in any case, as long as there is a dedicated effort in following up on |
| 63 |
issues related to it longer term. |
| 64 |
|
| 65 |
- -- |
| 66 |
Kristian Fiskerstrand |
| 67 |
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net |
| 68 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |
| 69 |
-----BEGIN PGP SIGNATURE----- |
| 70 |
|
| 71 |
iQEcBAEBCgAGBQJWC9EmAAoJECULev7WN52FHaoH/ix5m3Jdep0TurwbDWtpfn3o |
| 72 |
+EIK7dPwhseYLFl2wpyrCSJHsvQDGbJ06/u2PpGktg264CdInIKjRkO5uKdW2x5t |
| 73 |
RZBT3WFT2e1mj0OfPjbdLCPWOssvfbvRG/3+Zp1onajbQltDIIBKEdJw9p/VoLgX |
| 74 |
mEpRRE5myUWzGwSG6+1kBVZHzL1V7MDnlujuGzdlL1FKvWUbl0Hxsp4ApHHwgIIS |
| 75 |
TotgJv+XmfCfhOy2Qh4IHlaW75KhhzFd0LpSQTZT2kI/0bTVGJR7StuP3d+M66Kg |
| 76 |
/Y4v6eoublTUoSPSd1Eo5hm9vZnGPSCCdLkvuuXDObgUCVJsdLWyEt8hD4OtFHI= |
| 77 |
=EerA |
| 78 |
-----END PGP SIGNATURE----- |
Archives