Re: [gentoo-dev] Re: Current unavoidable use of xz utils in Gentoo

["Kévin GASPARD DE RENEFORT" <kevingaspard@koshie.fr>]

> Helping with any of these three would certainly be reasonable.  But
> demanding a *LOT* of work to alternative-force an already attack-reverted
> package, when we actually KNOW about that one, it's reverted to pre-attack
> and there's likely to be no more mischief there /because/ everybody's
> looking at it now, when it could have been any of a number of packages,
> some of which might already be compromised and we just didn't happen to
> find it, IMO really doesn't make much sense.

Hello,

After so much reading and seeing almost a dead-end to this talk and from 
this citation above I had an idea for OP.

1/ OP is sure that Gentoo and others distro *should* avoid using 
xz-utils, at all cost.

(IMHO that is a respectable choice, *IF* it's possible without adding 
tremendous of works while Gentoo's dev could works on something else… 
Like being sure xz-utils is now safe to use…)

2/ Gentoo's dev stating that it's:

     a) Non-required, to not say useless.

     b) Would ask a lot of money to extend the infrastructure of Gentoo 
(two times the compressed file and the new non-xz would take like +30% 
in size…) and some works in addition for the systems administrators. As 
someone that had this job for some years, that is not always easy as it 
looks like and having more works is never fun while you already have 
some cooking… specially when you are not paid for this.

     c) Would ask a *LOT* of works for Gentoo's devs, ebuild mainteneurs…

     d) For, from Gentoos's dev opinion, something that only a very few 
users will actually use, without speaking about adding a layer of 
complexity in every process, from installing Gentoo or maintaining the 
packages. Looks like an awful jobs to be honest.

If OP is really that sure that Gentoo's dev are having a cavalier 
attitude, non-thinking enough about security in this subject, while 
(sorry but that's true) not paying much respect to the works into the 
community (Gentoo and free software in general)… Well:

Fork Gentoo, or any other distros, start a LFS…

I mean, this is *free software* (as in freedom), what makes you not 
starting your own project with peoples sharing your point-of-view ?

Some debian's user didn't liked the coming of SystemD, some made Devian 
(not even know if it's still around, but that is a simple example). 
Don't some *BSD distribution were borne for technical different 
point-of-view ? Yes, some did and are still here, since decades.

I think, IMHO, you should try to see if peoples around are having the 
same philosophy as you, if you find a bunch of peoples having times and 
willing to do it.

I suppose you have some knowledge, but I can only assume, maybe you 
don't have enough, could take years even if you have already these. Even 
more if you start from 0.

If you are alone, you have two choices:

1/ Do like Slackware, create as a lone-wolf your own distribution.

2/ Accept the idea that your idea is maybe not true, or good.

When a lot of peoples state that you are wrong, it doesn't means you are 
all the time. But at the same time, you were explained more than once 
that it's not a good idea, a really better way or they (Gentoo's dev) 
have other matter to take care of. Maybe Gentoo's dev are wrong. But in 
my case, I'll keep my side for the peoples that has proven theirs skills 
by their works. For more than 20 years, now.

That is just my opinion. You don't like it ? Fork it, find an 
alternative OR accept your faith. Or change for a distribution sharing 
your opinion about that.

PS : Sorry for my English.

Regards,
GASPARD DE RENEFORT Kévin