From: Alec Warner <antarus@gentoo.org>
To: Gentoo Dev <gentoo-dev@lists.gentoo.org>
Subject: Re: [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules
Date: Wed, 18 Sep 2019 12:33:06 -0700 [thread overview]
Message-ID: <CAAr7Pr_j+LTtHoBgRyxV3rUSSrg6zffV4Uroqv=AnkmV0qR87g@mail.gmail.com> (raw)
In-Reply-To: <5ee9a16b-1709-4f79-4308-2b01f13e91d0@gentoo.org>
[-- Attachment #1: Type: text/plain, Size: 1878 bytes --]
On Wed, Sep 18, 2019 at 12:15 PM Michael Orlitzky <mjo@gentoo.org> wrote:
> On 9/18/19 2:04 PM, Alec Warner wrote:
> >
> > I'm actually pretty fine with this wording, upstream has said not to
> > dynamically link in these use cases.
> >
>
> Respectfully, the fact that you're OK with it doesn't make it not BS. It
> reads like "there's no way we can fix this!" when really it means "we
> don't feel like doing this properly!"
>
> Upstreams suggest dumb stuff all the time. We fix it. That's, like, what
> we do here.
>
> >
> > So if the package *maintainer* bumps each package every time it, or a
> > dep has a security issue; then updating will work fine.
> >
>
> Simply not true. If there's a security problem in a dependency and if
> you bump the packages that depend on it... nothing happens. Everyone
> reinstalls the vulnerable dependency, because the vulnerable dependency
is bundled in every single one of those packages.
>
I think the problem I have with this conversation is that I am discussing
things that are technically possible (e.g. we can in fact propagate
security fixes to all go packages, same as dynamically linked packages)
with things we do not think we will do.
If A deps on B and B has a sec vuln we can modify A's go.mod files to
depend on B-next (with security fixes), vendor that in, and bump A.
We don't do this, not because it's not possible, but because it's expensive
and people don't want to do it. The benefit of such a discussion is that
when we don't do this work, we can describe it to end users and say "hey
this is what it takes to run these packages securely, Gentoo has chosen not
to do it, but if you want to use these packages here is the work necessary."
I think that presents a better message than "Upstream is crap" or "these
packages are crap but we are forced to carry them for $reason so use them
at your own risk!".
-A
[-- Attachment #2: Type: text/html, Size: 2786 bytes --]
next prev parent reply other threads:[~2019-09-18 19:33 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-16 14:17 [gentoo-dev] [PATCH 0/1] introduce new eclass to handle go modules (round 3) William Hubbs
2019-09-16 14:17 ` [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules William Hubbs
2019-09-16 17:40 ` William Hubbs
2019-09-16 17:48 ` Zac Medico
2019-09-16 18:26 ` William Hubbs
2019-09-16 19:50 ` Zac Medico
2019-09-16 18:01 ` Zac Medico
2019-09-16 18:35 ` William Hubbs
2019-09-16 18:50 ` Zac Medico
2019-09-16 22:00 ` William Hubbs
2019-09-17 5:36 ` Michał Górny
2019-09-17 14:10 ` William Hubbs
2019-09-17 17:40 ` Zac Medico
2019-09-16 18:05 ` Michał Górny
2019-09-16 18:46 ` William Hubbs
2019-09-16 19:19 ` Michał Górny
2019-09-18 17:49 ` Michael Orlitzky
2019-09-18 18:04 ` Alec Warner
2019-09-18 19:15 ` Michael Orlitzky
2019-09-18 19:33 ` Alec Warner [this message]
2019-09-19 1:09 ` Michael Orlitzky
2019-09-18 19:28 ` Zac Medico
2019-09-18 21:11 ` William Hubbs
-- strict thread matches above, loose matches on Subject: below --
2019-09-18 20:26 [gentoo-dev] [PATCH 0/1] introduce an eclass to handle go modules (round 5) William Hubbs
2019-09-18 20:26 ` [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules William Hubbs
2019-09-18 20:29 ` Michał Górny
2019-09-18 21:28 ` William Hubbs
2019-09-19 1:02 ` Michael Orlitzky
2019-09-16 22:47 [gentoo-dev] [PATCH 0/1] introduce new eclass to handle go modules (round 4) William Hubbs
2019-09-16 22:47 ` [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules William Hubbs
2019-09-13 15:49 [gentoo-dev] [PATCH 0/1] Introduce new eclass to handle go modules (round 2) William Hubbs
2019-09-13 15:49 ` [gentoo-dev] [PATCH 1/1] go-module.eclass: introduce new eclass to handle go modules William Hubbs
2019-09-13 15:58 ` William Hubbs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAAr7Pr_j+LTtHoBgRyxV3rUSSrg6zffV4Uroqv=AnkmV0qR87g@mail.gmail.com' \
--to=antarus@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox