From: "Michał Górny" <mgorny@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] New item for sys-kernel/hardened-sources removal
Date: Sun, 20 Aug 2017 09:53:54 +0200 [thread overview]
Message-ID: <1503215634.2055.1.camel@gentoo.org> (raw)
In-Reply-To: <CAAD4mYiw-78zx+VpCXhCtE0rDK-ibS7QYm5ESipy-PvR1Rt=7Q@mail.gmail.com>
W dniu nie, 20.08.2017 o godzinie 00∶39 -0500, użytkownik R0b0t1
napisał:
> On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera
> (klondike) <klondike@gentoo.org> wrote:
> > El 19/08/17 a las 13:18, Aaron W. Swenson escribió:
> > > On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > El 19/08/17 a las 12:37, Aaron W. Swenson escribió:
> > > > > On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote:
> > > > > > Hi!
> > > > > >
> > > > > > I'd like to get this one up by Saturday so that we can proceed with
> > > > > > masking and removing of the hardened-sources after upstream stopped
> > > > > > releasing new patches.
> > > > >
> > > > > I hope I’m not too late.
> > > > >
> > > > > > We'd like to note that all the userspace hardening and MAC support
> > > > > > for SELinux provided by Gentoo Hardened will still remain there and
> > > > > > is unaffected by this removal.
> > > > >
> > > > > Where is there? I think you’re talking about the packages, but the news
> > > > > item is about the kernels. It would help to be more specific here.
> > > > >
> > > > > That’s all I had that the others hadn’t touched on.
> > > >
> > > > Do you think something like that is better then?
> > > >
> > > > We'd like to note that all the userspace hardening and MAC support
> > > > for SELinux provided by Gentoo Hardened will still remain available
> > > > on the portage. Keep in mind though that the security provided by
> > > > these features will be weakened a bit when using
> > > > sys-kernel/gentoo-sources. Also, all PaX related packages other than
> > > > the hardened-sources will remain available for the time being.
> > > >
> > > >
> > >
> > > Much better. We should mention that we’re specifically discussing
> > > packages and not portage itself. At least, that’s my understanding from
> > > your edit.
> > >
> > > Here’s my take on it:
> > >
> > > We'd like to note that all the userspace hardening and MAC support for
> > > SELinux provided by Gentoo Hardened will still remain in the packages
> > > found in portage. Keep in mind, though, that the security provided by
> > > these features will be weakened a bit when using
> > > sys-kernel/gentoo-sources. Also, all PaX related packages, except
> > > sys-kernel/hardened-sources, will remain available for the time being.
> >
> > I updated the news item with your propossal. Thanks a lot :)
> >
>
> The discussion is nice but no one has actually touched on the
> technical merits of removing the packages besides "they are old."
> There's plenty of old software in portage. Why not remove it first?
Please select some, and I'll be happy to treeclean it ASAP.
> I had a similar issue with the GCC developer who removed GCJ support.
> I asked him for any justification at all for the removal and he had
> none but some vague statements about it creating work. I would have
> taken any more specific example he gave at face value, but he didn't
> want to give one. I was left to conclude he didn't have one to give.
>
> So I ask again: On what basis are the hardened sources being removed
> from the tree?
Old kernel versions are a natural vulnerability targets. Even if they
are not vulnerable at the moment, they surely will be soon enough.
> At this point I am far less interested in making sure the sources stay
> in the tree than I am in forcing you to justify your actions, because
> I suspect your attempt to do so will be entertaining.
>
This is called inappropriate behavior and in a civilized distribution it
should result in disciplinary action. However, that's just my opinion
and I'm free to express it just as you are free to express yours.
--
Best regards,
Michał Górny
next prev parent reply other threads:[~2017-08-20 7:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-15 15:01 [gentoo-dev] New item for sys-kernel/hardened-sources removal Francisco Blas Izquierdo Riera (klondike)
2017-08-15 15:46 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-15 16:08 ` Ulrich Mueller
2017-08-15 20:07 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-15 15:50 ` R0b0t1
2017-08-15 20:03 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-18 0:59 ` R0b0t1
2017-08-19 10:54 ` [gentoo-dev] About " Francisco Blas Izquierdo Riera (klondike)
2017-08-16 7:40 ` [gentoo-dev] New item for " Marek Szuba
2017-08-16 10:09 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-16 16:01 ` Duncan
2017-08-17 22:54 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-19 10:37 ` Aaron W. Swenson
2017-08-19 11:01 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-19 11:18 ` Aaron W. Swenson
2017-08-19 11:34 ` Francisco Blas Izquierdo Riera (klondike)
2017-08-20 5:39 ` R0b0t1
2017-08-20 6:05 ` R0b0t1
2017-08-20 7:53 ` Michał Górny [this message]
2017-08-20 9:31 ` [gentoo-dev] " Duncan
2017-08-19 22:15 ` Duncan
2017-08-19 22:44 ` Michał Górny
2017-08-20 18:47 ` Francisco Blas Izquierdo Riera (klondike)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1503215634.2055.1.camel@gentoo.org \
--to=mgorny@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox