| 1 |
Sorry guys, |
| 2 |
|
| 3 |
|
| 4 |
I just can't let go of this thread. I've become Dependant upon it for |
| 5 |
my daily dose of drama. I NEED to hear people flame and bicker all day |
| 6 |
long...!! |
| 7 |
|
| 8 |
Seriously though, this thread about portage signing has made me think |
| 9 |
more thoroughly about gentoo and its security needs. |
| 10 |
|
| 11 |
I decided tonight to take a step back, and look at what the gentoo web |
| 12 |
site has to say about security. And the answer, which came as a |
| 13 |
surprise to me, was very little. |
| 14 |
|
| 15 |
|
| 16 |
I'm not sure how to interpret this. I will admit that I have not yet |
| 17 |
surveyed other open source projects' websites to compare their relative |
| 18 |
emphases on security. But I was surprised to see how little mention |
| 19 |
this big issue receives in the gentoo press, so to speak. |
| 20 |
|
| 21 |
It occurs to me that this lack of transparency is perhaps somewhat to |
| 22 |
blame for the flame war that we're all hopefully healing from by now. I |
| 23 |
really don't know what I should expect from gentoo in terms of security, |
| 24 |
other than having a general understanding that upstream packages will be |
| 25 |
maintained with security fixes. But clearly, creating a secure distro |
| 26 |
involves more than just package maintenance. And clearly, more _IS_ |
| 27 |
being done than just upstream package maintenance. I just have no idea |
| 28 |
what. |
| 29 |
|
| 30 |
In other words, I don't see any mention of security in the gentoo |
| 31 |
philosophy or in the social contract. With all of the "fix it yourself |
| 32 |
if you don't like it" comments I've seen in this thread, I wonder if it |
| 33 |
would be constructive to ask some pointed questions that get to the |
| 34 |
heart of the matter: |
| 35 |
|
| 36 |
|
| 37 |
What should be the extent of gentoo's social responsibility to insure |
| 38 |
the security and integrity of its software? How can this be made |
| 39 |
transparent to users? Are security ethics worthy of mention in the |
| 40 |
social contract? |
| 41 |
|
| 42 |
Is there a written policy for determining what issues warrant the |
| 43 |
issuance of a GLSA? If so, where? If not, should there be? |
| 44 |
|
| 45 |
What part does security -- and by this, I mean security as a concept, as |
| 46 |
an important consideration that keeps the Internet from imploding as |
| 47 |
well as keeping nasty things away from our workstations -- play in the |
| 48 |
gentoo philosophy? Does gentoo believe that security is a point of |
| 49 |
primary importance to an OS? (surely yes!) Should some mention of this |
| 50 |
be included in our philosophy statement? |
| 51 |
|
| 52 |
What does the gentoo developer handbook have to say about security? |
| 53 |
Should it address the security expectations we have of software developers? |
| 54 |
|
| 55 |
What about users who lack the technical ability to "fix it themselves"? |
| 56 |
Do we just want them to go back to Windoze, since they don't know any |
| 57 |
python or C? Or do we have a rudimentary obligation to provide them |
| 58 |
with some (how much?) degree of security out of the box? How should we |
| 59 |
inform users of what to expect? |
| 60 |
|
| 61 |
To what extent should the community be involved in managing security |
| 62 |
issues? What mechanisms exist for this? Should there be a more |
| 63 |
streamlined way for users to see what the status of current security |
| 64 |
efforts is? |
| 65 |
|
| 66 |
Is there a set of criteria we can agree on that might aid us in |
| 67 |
assessing the severity of a threat and need for a fix, in a way that is |
| 68 |
reasonable and fair? How are potential threats currently assessed? |
| 69 |
What should someone do if they think a serious problem is being |
| 70 |
overlooked or actively ignored? Is there a way to set up some |
| 71 |
protocols/procedures that might avoid this kind of flame war in the future? |
| 72 |
|
| 73 |
|
| 74 |
I hope no one sees this as trolling. I'm not trying to start another |
| 75 |
flame war, but I think these are all fundamental, legitimate questions |
| 76 |
raised by this thread. Where exactly _does_ the gentoo project stand on |
| 77 |
security? And how do I find out? This is a key piece of missing |
| 78 |
perspective. |
| 79 |
|
| 80 |
|
| 81 |
|
| 82 |
Cheers, |
| 83 |
|
| 84 |
|
| 85 |
|
| 86 |
-C- |
| 87 |
|
| 88 |
|
| 89 |
PS - In the midst of all the (much-deserved!) dev glorification, I want |
| 90 |
to also thank Peter for sticking to his convictions and moving this |
| 91 |
issue forward. |
Archives