Gentoo Archives: gentoo-project

From: Virgil Dupras <vdupras@g.o>
To: gentoo-project@l.g.o
Cc: Michael Orlitzky <mjo@g.o>
Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure
Date: Wed, 05 Dec 2018 03:47:10
In Reply to: Re: [gentoo-project] Re: [pre-glep] Security Project Structure by Michael Orlitzky
1 On Tue, 4 Dec 2018 17:05:55 -0500
2 Michael Orlitzky <mjo@g.o> wrote:
4 >
5 > This is technically correct, but: how many users even know what a
6 > security-supported arch is? I would guess zero, to a decimal point or
7 > two. Where would I encounter that information in my daily life?
8 >
9 > If I pick up any software system that's run by professionals and that
10 > has a dedicated security team, my out-of-the-box assumption is that
11 > there aren't any known, glaring, and totally fixable security
12 > vulnerabilities being quietly handed to me.
13 >
14 > Having a stable arch that isn't security-supported is a meta-fail... we
15 > have a system that fails open by giving people something that looks like
16 > it should be safe and then (when it bites them) saying "but you didn't
17 > read the fine print!" It should be the other way around: they should
18 > have to read the fine print before they can use those arches.
19 >
21 I very much agree with this. If we end up deciding on keeping the
22 "supported arches" system, I would like to propose that we also add a
23 big red warning, on the download page of unsupported arches, that
24 states that this can't be considered secure and that links to our
25 Vulnerability Treatment Policy.
27 I don't have arm systems anymore, but for a while I did and at the
28 time, I wasn't aware at all of this situation. That's not fun and we
29 probably have many arm users right now who are unknowingly running
30 insecure systems.
32 Regards,
33 Virgil Dupras


Subject Author
Re: [gentoo-project] Re: [pre-glep] Security Project Structure Mikle Kolyada <zlogene@g.o>