Gentoo Archives: gentoo-project

From: "Christopher Díaz Riveros" <chrisadr@g.o>
To: gentoo-project@l.g.o
Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure
Date: Wed, 05 Dec 2018 02:36:50
In Reply to: Re: [gentoo-project] Re: [pre-glep] Security Project Structure by Michael Orlitzky
1 El mar, 04-12-2018 a las 17:05 -0500, Michael Orlitzky escribió:
2 > On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote:
3 > >
4 > > I personally don't agree with part of this section; security is
5 > > relative, and if it is stated to not be supported there are no security
6 > > assumptions. If anything the removal of these arches as security
7 > > supported demonstrates an active decisions not to support them, and
8 > > signals to users of these arches that they can't depend on security
9 > > information from Gentoo. Stable generally means a stable tree of
10 > > dependencies, without security assumptions, if this is e.g used in a
11 > > closed lab that likely doesn't impact much.
12 > >
13 >
14 > This is technically correct, but: how many users even know what a
15 > security-supported arch is? I would guess zero, to a decimal point or
16 > two. Where would I encounter that information in my daily life?
17 >
18 > If I pick up any software system that's run by professionals and that
19 > has a dedicated security team, my out-of-the-box assumption is that
20 > there aren't any known, glaring, and totally fixable security
21 > vulnerabilities being quietly handed to me.
22 >
23 > Having a stable arch that isn't security-supported is a meta-fail... we
24 > have a system that fails open by giving people something that looks like
25 > it should be safe and then (when it bites them) saying "but you didn't
26 > read the fine print!" It should be the other way around: they should
27 > have to read the fine print before they can use those arches.
28 >
30 Or you could, as the GLEP states, try to give them the best set of packages (to
31 our knowledge) so that he/she does not need to read the fine print. That's one
32 of the main reasons I personally wanted to remove the "security supported list"
33 to a plain "stable == secure (to the best of our knowledge)", which should
34 accomplish the final goal: give the end-user something that is in both qa and
35 security the best possible output we can offer.
37 Best regards,
38 --
39 Christopher Díaz Riveros
40 Gentoo Linux Developer
41 GPG Fingerprint: E517 5ECB 8152 98E4 FEBC 2BAA 4DBB D10F 0FDD 2547


File name MIME type
signature.asc application/pgp-signature