1 |
On Thu, Aug 12, 2021 at 01:17:32PM -0700, Matt Turner wrote: |
2 |
> On Thu, Aug 12, 2021 at 5:53 AM Michał Górny <mgorny@g.o> wrote: |
3 |
> > |
4 |
|
5 |
<snip> |
6 |
|
7 |
> To do that, I think we'd want to change what's required for the "clean |
8 |
> up" step. Since today the "clean up" step is dropping the vulnerable |
9 |
> package versions from the tree, it is dependent on |
10 |
> non-security-supported architectures completing the stabilization bug. |
11 |
> I think we'd like to break that dependence. |
12 |
> |
13 |
|
14 |
Yes, please. Thank you for bringing this up. This has been a hotly |
15 |
debated item in the past with former security leads dictating that |
16 |
"clean up" is not relevant to the security process, but it remained |
17 |
codified in documentation that it needs to occur. |
18 |
|
19 |
It is indeed important, as leaving vulnerable versions is the tree is not |
20 |
good for anyone and impacts many other areas (e.g. promoting tree |
21 |
cleanliness). |
22 |
|
23 |
Further, as mgorny mentioned in a follow-up email to this, we need to |
24 |
understand what is a "security supported" architecture. This has also |
25 |
been an issue in the past with council intervention needed to declare |
26 |
dropping specific arches to exp profiles and allowing security to drop |
27 |
support and subsequently move bugs forward. |
28 |
|
29 |
And to continue on my soap box, we have a small blurb on the security |
30 |
page [1] which states what architectures are considered security supported. |
31 |
This is less than ideal. We also generally state that stable arches are |
32 |
supported and must be dealt with during the vulnerability process. |
33 |
|
34 |
So, all in all, it is highly conflated IMHO and is *not* ideal for |
35 |
anyone to have to determine that a particular arch is stable but not |
36 |
security supported. |
37 |
|
38 |
As such, I advocate for any stable arch to be security supported by |
39 |
default. If the arch lags or is dropped then it goes to unstable |
40 |
(process TBD). |
41 |
|
42 |
|
43 |
[1]: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |
44 |
|
45 |
-Aaron |