| 1 |
On Thu, Aug 12, 2021 at 01:17:32PM -0700, Matt Turner wrote: |
| 2 |
> On Thu, Aug 12, 2021 at 5:53 AM Michał Górny <mgorny@g.o> wrote: |
| 3 |
> > |
| 4 |
|
| 5 |
<snip> |
| 6 |
|
| 7 |
> To do that, I think we'd want to change what's required for the "clean |
| 8 |
> up" step. Since today the "clean up" step is dropping the vulnerable |
| 9 |
> package versions from the tree, it is dependent on |
| 10 |
> non-security-supported architectures completing the stabilization bug. |
| 11 |
> I think we'd like to break that dependence. |
| 12 |
> |
| 13 |
|
| 14 |
Yes, please. Thank you for bringing this up. This has been a hotly |
| 15 |
debated item in the past with former security leads dictating that |
| 16 |
"clean up" is not relevant to the security process, but it remained |
| 17 |
codified in documentation that it needs to occur. |
| 18 |
|
| 19 |
It is indeed important, as leaving vulnerable versions is the tree is not |
| 20 |
good for anyone and impacts many other areas (e.g. promoting tree |
| 21 |
cleanliness). |
| 22 |
|
| 23 |
Further, as mgorny mentioned in a follow-up email to this, we need to |
| 24 |
understand what is a "security supported" architecture. This has also |
| 25 |
been an issue in the past with council intervention needed to declare |
| 26 |
dropping specific arches to exp profiles and allowing security to drop |
| 27 |
support and subsequently move bugs forward. |
| 28 |
|
| 29 |
And to continue on my soap box, we have a small blurb on the security |
| 30 |
page [1] which states what architectures are considered security supported. |
| 31 |
This is less than ideal. We also generally state that stable arches are |
| 32 |
supported and must be dealt with during the vulnerability process. |
| 33 |
|
| 34 |
So, all in all, it is highly conflated IMHO and is *not* ideal for |
| 35 |
anyone to have to determine that a particular arch is stable but not |
| 36 |
security supported. |
| 37 |
|
| 38 |
As such, I advocate for any stable arch to be security supported by |
| 39 |
default. If the arch lags or is dropped then it goes to unstable |
| 40 |
(process TBD). |
| 41 |
|
| 42 |
|
| 43 |
[1]: https://www.gentoo.org/support/security/vulnerability-treatment-policy.html |
| 44 |
|
| 45 |
-Aaron |
Archives