Gentoo Archives: gentoo-dev

From: Sam James <sam@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [RFC] Removing separate "security supported" arch list
Date: Sat, 23 Oct 2021 13:40:54
Message-Id: 465CB04E-40B0-4706-A968-7CA2D2133C12@gentoo.org
In Reply to: Re: [gentoo-dev] [RFC] Removing separate "security supported" arch list by Thomas Deutschmann
1 > On 23 Oct 2021, at 02:55, Thomas Deutschmann <whissi@g.o> wrote:
2 >
3 > On 2021-10-21 17:16, Mike Gilbert wrote:
4 >> On Thu, Oct 21, 2021 at 4:05 AM Michał Górny <mgorny@g.o> wrote:
5 >>> 4. In the end, Security team isn't really respecting this policy.
6 >>> In the end, this leads to absurdities like GLSA being released before
7 >>> a package is stable on amd64, and confusing the users [4].
8 >> This is certainly an absurd mistake, but I think it is unrelated to
9 >> the topic of your message. It looks like Whissi jumped the gun on
10 >> releasing a GLSA, which could happen regardless of the policy. Am I
11 >> missing some context?
12 >
13 > Yeah, #4 is bullshit.
14 >
15
16 Well, it's not bullshit per se, it's just not consistent with the policy. We should
17 update the policy to reflect real life.
18
19 What I'd probably like us to do is have at least amd64 stable before
20 publishing in future (and if there's a reason amd64 can't be, we probably
21 can't/shouldn't stable on other arches anyway).
22
23 > The security team was never happy with the situation to hold back GLSAs until last architecture was marked stable.
24 >
25 > Saying that we are not respecting our own own policy is absurd. The team discussed this in 2018 and we agreed that it is fine to already publish a GLSA in case a GLSA is ready and when at least one major architecture (amd64 or x86 at that time) was marked stable. That exception doesn't require a formal policy update.
26 >
27
28 I don't get why this means we shouldn't just update the page..?
29
30 > We even wanted to go one step further and release GLSA when no fixed version is available at all to inform users and give them a chance to take actions on their own (to be able to take actions on your own, i.e. you first need to be aware of a problem). However, this would be too complicated and would frustrate many users.
31
32 Aye, although this would involve different instructions.
33
34 >
35 > The lived practice with releasing GLSA already when just one major architecture has set stable keyword (and in most cases we covered amd64 and x86 at release time) received good feedback and is accepted by users and didn't cause any problems (can't remember that we ever got GLSA feedback for other architectures than amd64 or x86).
36 >
37
38 best,
39 sam

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies