1 |
On Fri, 2021-08-13 at 12:50 -0400, Aaron Bauman wrote: |
2 |
> On Thu, Aug 12, 2021 at 01:17:32PM -0700, Matt Turner wrote: |
3 |
> > On Thu, Aug 12, 2021 at 5:53 AM Michał Górny <mgorny@g.o> wrote: |
4 |
> > > |
5 |
> |
6 |
> <snip> |
7 |
> |
8 |
> > To do that, I think we'd want to change what's required for the "clean |
9 |
> > up" step. Since today the "clean up" step is dropping the vulnerable |
10 |
> > package versions from the tree, it is dependent on |
11 |
> > non-security-supported architectures completing the stabilization bug. |
12 |
> > I think we'd like to break that dependence. |
13 |
> > |
14 |
> |
15 |
> Yes, please. Thank you for bringing this up. This has been a hotly |
16 |
> debated item in the past with former security leads dictating that |
17 |
> "clean up" is not relevant to the security process, but it remained |
18 |
> codified in documentation that it needs to occur. |
19 |
> |
20 |
> It is indeed important, as leaving vulnerable versions is the tree is not |
21 |
> good for anyone and impacts many other areas (e.g. promoting tree |
22 |
> cleanliness). |
23 |
> |
24 |
> Further, as mgorny mentioned in a follow-up email to this, we need to |
25 |
> understand what is a "security supported" architecture. This has also |
26 |
> been an issue in the past with council intervention needed to declare |
27 |
> dropping specific arches to exp profiles and allowing security to drop |
28 |
> support and subsequently move bugs forward. |
29 |
> |
30 |
> And to continue on my soap box, we have a small blurb on the security |
31 |
> page [1] which states what architectures are considered security supported. |
32 |
> This is less than ideal. We also generally state that stable arches are |
33 |
> supported and must be dealt with during the vulnerability process. |
34 |
> |
35 |
> So, all in all, it is highly conflated IMHO and is *not* ideal for |
36 |
> anyone to have to determine that a particular arch is stable but not |
37 |
> security supported. |
38 |
> |
39 |
> As such, I advocate for any stable arch to be security supported by |
40 |
> default. If the arch lags or is dropped then it goes to unstable |
41 |
> (process TBD). |
42 |
> |
43 |
|
44 |
Yes, this sounds like a good idea. We should avoid having multiple |
45 |
classifications for architectures. If something's good enough to be |
46 |
stable, it should be security supported. If it's not, then it shouldn't |
47 |
be stable. |
48 |
|
49 |
In the end, I guess the primary problem is manpower. Given that secbugs |
50 |
are normally given priority, I don't really see a case for an arch that |
51 |
would be not good enough to be security supported but at the same time |
52 |
good enough to cope with the wider range of bugs. |
53 |
|
54 |
-- |
55 |
Best regards, |
56 |
Michał Górny |