| 1 |
On Mon, 6 Apr 2020 23:55:07 +0100 |
| 2 |
Samuel Bernardo <samuelbernardo.mail@×××××.com> wrote: |
| 3 |
|
| 4 |
> This is the kind of useful information that we could collect from the |
| 5 |
> QA, extending the greatness of the best distro ever made. The |
| 6 |
> availability of software from a distro is better than installing it |
| 7 |
> standalone, allowing to share knowledge about relevant information such |
| 8 |
> as security, maintenance, ... |
| 9 |
|
| 10 |
Indeed. |
| 11 |
|
| 12 |
I've long wanted some sort of capacity for: |
| 13 |
|
| 14 |
- Portage to be capable of correlating packages and their versions |
| 15 |
with known bugs that affect those versions |
| 16 |
|
| 17 |
- Portage to be capable of correlating packages and relative CVE's. |
| 18 |
|
| 19 |
Presently all we end up doing is: |
| 20 |
|
| 21 |
- Oh no, it has a bug, remove it! |
| 22 |
- Or in more careful conditions, P.Mask it with reasons |
| 23 |
|
| 24 |
The best tool we have to solve even part of this problem is glsa-check, |
| 25 |
but its not mainstream enough. |
| 26 |
|
| 27 |
So we simply don't have the /tools/ required for general users to make |
| 28 |
decisions about "should I upgrade?", "should I remove this?" beyond |
| 29 |
"oh, its gone", or "oh, its package masked" |
| 30 |
|
| 31 |
But utlimately, this is not a technology problem: Its a staffing problem. |
| 32 |
|
| 33 |
We simply don't have the power to keep old things or vulnerable things |
| 34 |
around for people to use "if they're clever" |
| 35 |
|
| 36 |
( And every additional version aggregates to exponential complexity |
| 37 |
creating more places for portage to get confused ) |
| 38 |
|
| 39 |
For top level binary things like zoom, its easier due to nothing |
| 40 |
depending on it. |
| 41 |
|
| 42 |
But handling such things for vulnerable or buggy dependencies, things |
| 43 |
get tricky quickly. |
Archives