1 |
On Mon, 6 Apr 2020 23:55:07 +0100 |
2 |
Samuel Bernardo <samuelbernardo.mail@×××××.com> wrote: |
3 |
|
4 |
> This is the kind of useful information that we could collect from the |
5 |
> QA, extending the greatness of the best distro ever made. The |
6 |
> availability of software from a distro is better than installing it |
7 |
> standalone, allowing to share knowledge about relevant information such |
8 |
> as security, maintenance, ... |
9 |
|
10 |
Indeed. |
11 |
|
12 |
I've long wanted some sort of capacity for: |
13 |
|
14 |
- Portage to be capable of correlating packages and their versions |
15 |
with known bugs that affect those versions |
16 |
|
17 |
- Portage to be capable of correlating packages and relative CVE's. |
18 |
|
19 |
Presently all we end up doing is: |
20 |
|
21 |
- Oh no, it has a bug, remove it! |
22 |
- Or in more careful conditions, P.Mask it with reasons |
23 |
|
24 |
The best tool we have to solve even part of this problem is glsa-check, |
25 |
but its not mainstream enough. |
26 |
|
27 |
So we simply don't have the /tools/ required for general users to make |
28 |
decisions about "should I upgrade?", "should I remove this?" beyond |
29 |
"oh, its gone", or "oh, its package masked" |
30 |
|
31 |
But utlimately, this is not a technology problem: Its a staffing problem. |
32 |
|
33 |
We simply don't have the power to keep old things or vulnerable things |
34 |
around for people to use "if they're clever" |
35 |
|
36 |
( And every additional version aggregates to exponential complexity |
37 |
creating more places for portage to get confused ) |
38 |
|
39 |
For top level binary things like zoom, its easier due to nothing |
40 |
depending on it. |
41 |
|
42 |
But handling such things for vulnerable or buggy dependencies, things |
43 |
get tricky quickly. |