From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 246BF138334 for ; Sat, 4 Jan 2020 11:01:48 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D64A5E08A4; Sat, 4 Jan 2020 11:01:43 +0000 (UTC) Received: from mail-pg1-f195.google.com (mail-pg1-f195.google.com [209.85.215.195]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 93A34E089E for ; Sat, 4 Jan 2020 11:01:43 +0000 (UTC) Received: by mail-pg1-f195.google.com with SMTP id z124so24566504pgb.13 for ; Sat, 04 Jan 2020 03:01:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=WQnOA+XwqFlnnU4jWQNhfoIvt3HnNVbYjX/HEmLgy9Q=; b=NM4B3f3FgCtse8dLGQxdRzf/K+lDbquu3SLfpxR7FlWE+oggS+T+sRy+ics6hikkEd AYr6mADTprNc3ViDuzgS37Hh26fIXluPFeajYSuX+8kmjDy08QjbFO9Q0G7wNgWubuQ5 S48NKeuQQp8foOLUECVp5ezFnwEIUYGWJcy8bf04WHC/J3xMM9BRbXI3ezso+a+kqhF+ A+xQnRI3nZwn4ivNGYDu4gpyHekBzAdE2ECu8FJLuSuaLY+KtLTPMLE4rjqA9j8tAu1+ 1glnTFUvAkj0VTa+d+w7ggZWaxEkEqV3VzYbkFv5GT4MaVlZheobqSnqFIE+vz8NEsfz ykUg== X-Gm-Message-State: APjAAAXWIVXfS2kQWOBz45Ofk+3bBoTFvEG/ffajWO9iVfMumrCoM/F5 4yPDN9rQ4cTxdasX6q1AidyfoiEOhdT0sq+7QK8Q+A== X-Google-Smtp-Source: APXvYqz7LwHxIWbWaBHQJ/QY37ym9nV1j/26qmruXZV0MSt1ubTdNv6lUZ2tRBYzWtFD0Ezxv76rXHXVY6GLwRJ4GKQ= X-Received: by 2002:a63:8041:: with SMTP id j62mr101317615pgd.41.1578135702034; Sat, 04 Jan 2020 03:01:42 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <3197490.ugo6OjCCXa@daneel.sf-tec.de> <1794534.0xJHuh4lKC@crazyhorse> <19015309.XG3PSQ8cOu@daneel.sf-tec.de> <5537134e-0412-862d-e105-94c678229b46@gentoo.org> <2dd351b3-0f71-4960-ffde-2f5a99ab161d@gentoo.org> <9b48db99-19dc-617b-c0d4-ffa0216b43be@gentoo.org> <5258410f-a8a4-38bf-4885-c1d4265b40f5@gentoo.org> <1D58FC4F-EBE7-470C-BB59-6BA54314F740@gentoo.org> In-Reply-To: <1D58FC4F-EBE7-470C-BB59-6BA54314F740@gentoo.org> From: Rich Freeman Date: Sat, 4 Jan 2020 06:01:30 -0500 Message-ID: Subject: Re: [gentoo-dev] Vanilla sources To: gentoo-dev Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: d59e5c19-5adb-49b9-9cff-3af7d34d591c X-Archives-Hash: aa4a2096b69f3c12e26695fb0a25361c On Fri, Jan 3, 2020 at 11:28 AM Aaron Bauman wrote: > On January 3, 2020 9:55:31 AM EST, Michael Orlitzky wrote: > >On 1/3/20 9:52 AM, Michael Orlitzky wrote: > >> > >> But here we are. Do we make OpenRC Linux-only and steal the fix from > >> systemd? Or pretend to support other operating systems, but leave > >them > >> insecure? > >> > > > >Or the gripping hand: rewrite opentmpfiles in C, so that it's only as > >insecure as checkpath. > > > >Every option sucks. I was only trying to point out that vanilla-sources > >gets no security support -- security@ has stated this, but it's on a > >private bug, so I won't quote it -- and the risk is more than academic. > > This should be known. Security does not support vanilla-sources. This is one reason vanilla-sources are not stabilized. > Packages without security support should be masked. Really I don't see the point of even having this in the repo. I run vanilla sources personally but I just get them from upstream. Makes way more sense than worrying about whether the version in the repo is up to date for the longterm kernel I'm following. People running vanilla sources are probably using out-of-tree modules (like me) and as such are going to have particular requirements around how they're updated. So, Gentoo is adding fairly little value. All they do is download sources anyway, which is trivially done from git more efficiently (or tarballs that are probably easy to obtain just as efficiently). I can see more of the point in the new distribution kernel project which will be turnkey. I can see some of the value in gentoo-sources (particularly as the upstream for the distribution kernels) especially if they're tied to Gentoo-specific bugs. For more general bugs that apply to all distros I really don't see the point in trying to compete with the upstream stable branches (if they're taking forever to merge a patch, chances are there is a reason for it, and I'm skeptical that Gentoo users are special in some way). Is there some reason that we should keep vanilla sources despite not getting security handling? -- Rich