From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-89915-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 06D9A138334
	for <garchives@archives.gentoo.org>; Sat,  4 Jan 2020 12:54:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 3C700E08A8;
	Sat,  4 Jan 2020 12:54:21 +0000 (UTC)
Received: from mail-pl1-f194.google.com (mail-pl1-f194.google.com [209.85.214.194])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 7D3F3E089F
	for <gentoo-dev@lists.gentoo.org>; Sat,  4 Jan 2020 12:54:20 +0000 (UTC)
Received: by mail-pl1-f194.google.com with SMTP id x17so20058555pln.1
        for <gentoo-dev@lists.gentoo.org>; Sat, 04 Jan 2020 04:54:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=ILsZZGNhFBuPXODYpdCKvvi1OPu7gj3cvQkie39frKU=;
        b=FFJ00m2e1rfdxj+VGeu4Lf/WR/6VUPs68tJq9CySWWg0Pq0RVSNOXQqbxlTU6ZWKWY
         LNi0XO8ojYrmIHR5j/09ukL4Pgjlijo/q3X1iAIsnM+Pj/t63w7o/GyqMlwbgDkDJRkE
         f/P6xJeWHeN1mxeZGsISsim2PYJPGjxD8K6dwFlDOt0NiprL+9Hj4PkYFTv85zfqcVJt
         HZ35XHJNMB/BwCklBe5Bz/+V0Dc5fJuR0gJEvmSh/B3FZCTl5ZY4Bu8TUXs8lFMDgpA9
         1j+aP/sIrqAcYiwxnz3yAAxcxskCHdTrxiKV4sn5xUtLMoXAtLdWVFjKGEX7nh2eE0vi
         quqQ==
X-Gm-Message-State: APjAAAV3sarpUOCRgYny52mcTFUBzBRrEzX7COw3rT3yGSE8t5GoNScP
	MZed6UzApEYmoQVOfg2zhLOsKbNuRxu1VD2lxBtfWg==
X-Google-Smtp-Source: APXvYqxzzD2vpsuVgT0GuVF0ZKSMgakeyiFnvnYBx7DZB51M1glxzs1Ry6SPKr+J36SfglbzTQImYaAm7otzRjo4q8A=
X-Received: by 2002:a17:90a:ead3:: with SMTP id ev19mr32368580pjb.80.1578142458819;
 Sat, 04 Jan 2020 04:54:18 -0800 (PST)
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
MIME-Version: 1.0
References: <CAGfcS_=KzxrAWDasd-h4w+dXsUshtTCgNtEJsybaP1WKHz_yLA@mail.gmail.com>
 <OXR3NLZA.SJ53EA2Z.7AJF3PQU@OPMY5W7L.Y2WPO3NT.QUGGKWDU>
In-Reply-To: <OXR3NLZA.SJ53EA2Z.7AJF3PQU@OPMY5W7L.Y2WPO3NT.QUGGKWDU>
From: Rich Freeman <rich0@gentoo.org>
Date: Sat, 4 Jan 2020 07:54:07 -0500
Message-ID: <CAGfcS_kxafwfFuV+n=SdgwSaGdBHapRnvotiDoStmgZuWHeHtA@mail.gmail.com>
Subject: Re: [gentoo-dev] Vanilla sources
To: gentoo-dev <gentoo-dev@lists.gentoo.org>
Content-Type: text/plain; charset="UTF-8"
X-Archives-Salt: c3d378ae-14af-4e5c-83b3-3d83ed62e56d
X-Archives-Hash: 4ffe3fbf84734c61e838e016a6a355eb

On Sat, Jan 4, 2020 at 6:42 AM Roy Bamford <neddyseagoon@gentoo.org> wrote:
>
> On 2020.01.04 11:01, Rich Freeman wrote:
> >
> > Is there some reason that we should keep vanilla sources despite not
> > getting security handling?
> >
>
> Gentoo had this discussion before. The outcome was that
> vanilla-sources is just as Linus intended.
> If Gentoo did anything to it, it wouldn't be vanilla any longer.

Obviously.  I wasn't suggesting that we keep vanilla sources but not
make them vanilla.  That doesn't mean that they couldn't be
security-supported, or that we have to have them in the repo.

> Yes, it should be kept. We should not force users to learn
> git or tar.

Uh, all it does is install kernel sources.  They're useless unless you
build a kernel using them.

Apparently git and tar are too complicated for Gentoo users, but
managing symlinks, using make, managing a bootloader, dealing with the
kernel's configuration system, and so on are just fine?

I completely get the point of the distribution kernel project that was
just announced, as I already said.

> I agree git or a tarball of vanilla-sources is faster and more
> efficient but that's not a reason to drop it.
> By the same argument we could drop linux-firmware too.
> There are probably other packages that only install whatever
> they fetch. Could they be dropped?

So, a few issues with that argument:

1.  Those other packages are security supported.
2.  Those other packages are largely functional once installed, and to
the degree that they require configuration that is generally one-time
and after updates they remain functional.

All that said, it seems like vanilla-sources is pretty up-to-date, so
I'm not sure what we mean by it not being security supported.  I just
took that as a given.  Does that mean that we're not releasing patches
before upstream?  If so, that seems like a pretty minor issue since
upstream generally does security bumps pretty quickly.  4.4.208 isn't
in our repo but was released today - I'm not sure how quickly these
get bumped.  If our repo could be days behind that is definitely
another reason not to host this stuff, as users should be directed
upstream if our packages aren't security supported.

On a further aside, I just noticed how up-to-date gentoo-sources are.
Kudos to whoever is doing that these days - for a while it was tending
to slip a bit but it seems like we're basically current.

-- 
Rich