Gentoo Archives: gentoo-project

From: Virgil Dupras <vdupras@g.o>
To: gentoo-project@l.g.o
Cc: Michael Orlitzky <mjo@g.o>
Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure
Date: Wed, 05 Dec 2018 03:47:10
In Reply to: Re: [gentoo-project] Re: [pre-glep] Security Project Structure by Michael Orlitzky
On Tue, 4 Dec 2018 17:05:55 -0500
Michael Orlitzky <mjo@g.o> wrote:

> > This is technically correct, but: how many users even know what a > security-supported arch is? I would guess zero, to a decimal point or > two. Where would I encounter that information in my daily life? > > If I pick up any software system that's run by professionals and that > has a dedicated security team, my out-of-the-box assumption is that > there aren't any known, glaring, and totally fixable security > vulnerabilities being quietly handed to me. > > Having a stable arch that isn't security-supported is a meta-fail... we > have a system that fails open by giving people something that looks like > it should be safe and then (when it bites them) saying "but you didn't > read the fine print!" It should be the other way around: they should > have to read the fine print before they can use those arches. >
I very much agree with this. If we end up deciding on keeping the "supported arches" system, I would like to propose that we also add a big red warning, on the download page of unsupported arches, that states that this can't be considered secure and that links to our Vulnerability Treatment Policy. I don't have arm systems anymore, but for a while I did and at the time, I wasn't aware at all of this situation. That's not fun and we probably have many arm users right now who are unknowingly running insecure systems. Regards, Virgil Dupras


Subject Author
Re: [gentoo-project] Re: [pre-glep] Security Project Structure Mikle Kolyada <zlogene@g.o>