| 1 |
El mar, 04-12-2018 a las 17:05 -0500, Michael Orlitzky escribió: |
| 2 |
> On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote: |
| 3 |
> > |
| 4 |
> > I personally don't agree with part of this section; security is |
| 5 |
> > relative, and if it is stated to not be supported there are no security |
| 6 |
> > assumptions. If anything the removal of these arches as security |
| 7 |
> > supported demonstrates an active decisions not to support them, and |
| 8 |
> > signals to users of these arches that they can't depend on security |
| 9 |
> > information from Gentoo. Stable generally means a stable tree of |
| 10 |
> > dependencies, without security assumptions, if this is e.g used in a |
| 11 |
> > closed lab that likely doesn't impact much. |
| 12 |
> > |
| 13 |
> |
| 14 |
> This is technically correct, but: how many users even know what a |
| 15 |
> security-supported arch is? I would guess zero, to a decimal point or |
| 16 |
> two. Where would I encounter that information in my daily life? |
| 17 |
> |
| 18 |
> If I pick up any software system that's run by professionals and that |
| 19 |
> has a dedicated security team, my out-of-the-box assumption is that |
| 20 |
> there aren't any known, glaring, and totally fixable security |
| 21 |
> vulnerabilities being quietly handed to me. |
| 22 |
> |
| 23 |
> Having a stable arch that isn't security-supported is a meta-fail... we |
| 24 |
> have a system that fails open by giving people something that looks like |
| 25 |
> it should be safe and then (when it bites them) saying "but you didn't |
| 26 |
> read the fine print!" It should be the other way around: they should |
| 27 |
> have to read the fine print before they can use those arches. |
| 28 |
> |
| 29 |
|
| 30 |
Or you could, as the GLEP states, try to give them the best set of packages (to |
| 31 |
our knowledge) so that he/she does not need to read the fine print. That's one |
| 32 |
of the main reasons I personally wanted to remove the "security supported list" |
| 33 |
to a plain "stable == secure (to the best of our knowledge)", which should |
| 34 |
accomplish the final goal: give the end-user something that is in both qa and |
| 35 |
security the best possible output we can offer. |
| 36 |
|
| 37 |
Best regards, |
| 38 |
-- |
| 39 |
Christopher Díaz Riveros |
| 40 |
Gentoo Linux Developer |
| 41 |
GPG Fingerprint: E517 5ECB 8152 98E4 FEBC 2BAA 4DBB D10F 0FDD 2547 |
Archives