1 |
On 12/4/18 11:05 PM, Michael Orlitzky wrote: |
2 |
> On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote: |
3 |
>> |
4 |
>> I personally don't agree with part of this section; security is |
5 |
>> relative, and if it is stated to not be supported there are no security |
6 |
>> assumptions. If anything the removal of these arches as security |
7 |
>> supported demonstrates an active decisions not to support them, and |
8 |
>> signals to users of these arches that they can't depend on security |
9 |
>> information from Gentoo. Stable generally means a stable tree of |
10 |
>> dependencies, without security assumptions, if this is e.g used in a |
11 |
>> closed lab that likely doesn't impact much. |
12 |
>> |
13 |
> |
14 |
> This is technically correct, but: how many users even know what a |
15 |
> security-supported arch is? I would guess zero, to a decimal point or |
16 |
> two. Where would I encounter that information in my daily life? |
17 |
> |
18 |
> If I pick up any software system that's run by professionals and that |
19 |
> has a dedicated security team, my out-of-the-box assumption is that |
20 |
> there aren't any known, glaring, and totally fixable security |
21 |
> vulnerabilities being quietly handed to me. |
22 |
> |
23 |
> Having a stable arch that isn't security-supported is a meta-fail... we |
24 |
> have a system that fails open by giving people something that looks like |
25 |
> it should be safe and then (when it bites them) saying "but you didn't |
26 |
> read the fine print!" It should be the other way around: they should |
27 |
> have to read the fine print before they can use those arches. |
28 |
|
29 |
Well, in terms of CVEs the documentation matters quite a bit, the |
30 |
question isn't necessarily what any user would do ... but what a |
31 |
reasonable user would do.. and a reasonable user would consider the |
32 |
documented practices of a project. |
33 |
|
34 |
-- |
35 |
Kristian Fiskerstrand |
36 |
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net |
37 |
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 |