| 1 |
On 2020.04.07 09:48, Ulrich Mueller wrote: |
| 2 |
> >>>>> On Tue, 07 Apr 2020, Samuel Bernardo wrote: |
| 3 |
> |
| 4 |
> > No assurance is also a level that takes place in the lower ranking |
| 5 |
> > level. If someone needs to use zoom because they are demanded by |
| 6 |
> their |
| 7 |
> > boss I think that would be even more useful to know that it is |
| 8 |
> possible |
| 9 |
> > to install zoom in Gentoo and that is rated as the worst possible |
| 10 |
> > software. Maybe this would allow others to join our zoom claim... |
| 11 |
> |
| 12 |
> We could add a README.gentoo file with our caveats. It won't be |
| 13 |
> perfect, |
| 14 |
> but maybe better than nothing. (And certainly better than displaying a |
| 15 |
> warning on every upgrade, which will eventually annoy people [1].) |
| 16 |
> |
| 17 |
> Any suggestions for a wording? |
| 18 |
> |
| 19 |
> Ulrich |
| 20 |
> |
| 21 |
> |
| 22 |
> [1] https://bugs.gentoo.org/416769 |
| 23 |
> |
| 24 |
|
| 25 |
Team, |
| 26 |
|
| 27 |
Just 'No.' |
| 28 |
|
| 29 |
Its not useful to anyone to single out a single binary only package |
| 30 |
for special treatment. |
| 31 |
|
| 32 |
Lets compare zoom to firefox-bin as a worked example. |
| 33 |
Nobody except Mozilla knows whats in firefox-bin. Gentoo doesn't |
| 34 |
build it, its the official Mozilla binary build. |
| 35 |
|
| 36 |
Mozilla distubute source code too. There is no assurace that they |
| 37 |
are the sources used to build firefox-bin. |
| 38 |
|
| 39 |
Over the years Firefox has had its share of CVEs. |
| 40 |
How is firefox-bin any different to zoom? |
| 41 |
|
| 42 |
I've only selected firefox-bin as a worked example. There are other |
| 43 |
binary packages in ::gentoo. In the same boat. |
| 44 |
|
| 45 |
They all need to be treated consistently. |
| 46 |
|
| 47 |
|
| 48 |
Then there is the question of the liability exposure. |
| 49 |
There are two prongs to this. |
| 50 |
|
| 51 |
a) any advice will be incomplete and or out of date. |
| 52 |
That will damage trust. |
| 53 |
|
| 54 |
b) one day, it will be plain wrong and zoom or whoever will get very |
| 55 |
upset and be able to prove it. |
| 56 |
|
| 57 |
Its OK to publish advice based on beliefs or opinions, there is no |
| 58 |
requirement for beliefs or opinions to be based on fact but we are |
| 59 |
not discussing beliefs or opinions here. |
| 60 |
|
| 61 |
In summary, we can't be sure of our facts. We can't be sure that |
| 62 |
any warning complete and correct. |
| 63 |
|
| 64 |
Gentoo must not single out any package for special treatment. |
| 65 |
|
| 66 |
-- |
| 67 |
Regards, |
| 68 |
|
| 69 |
Roy Bamford |
| 70 |
(Neddyseagoon) a member of |
| 71 |
elections |
| 72 |
gentoo-ops |
| 73 |
forum-mods |
| 74 |
arm64 |
Archives