From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CCEE1158041 for ; Wed, 3 Apr 2024 12:22:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 16DD7E2A78; Wed, 3 Apr 2024 12:22:21 +0000 (UTC) Received: from smtp-42ac.mail.infomaniak.ch (smtp-42ac.mail.infomaniak.ch [84.16.66.172]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B3975E2A74 for ; Wed, 3 Apr 2024 12:22:20 +0000 (UTC) Received: from smtp-3-0000.mail.infomaniak.ch (smtp-3-0000.mail.infomaniak.ch [10.4.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4V8kQf6ksWz8wX for ; Wed, 3 Apr 2024 14:22:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=koshie.fr; s=20231129; t=1712146938; bh=C1CcDpWqfZzRPrmtfldldVXwCKzSeClBXpTBrd127rw=; h=Date:Subject:To:References:From:In-Reply-To:From; b=IQ9feoJNZI0nBoEMQUmKmo+ru/a/337u9Ak018oQuk/kL5LzFAcYXa0jiFNx1Hjeq IrStVb/wG6f/S/mPCWOd99TkD0sbfk2+0R0bCmaNsdiUcpN5un/syiWkzcvRtRZIWL WZH45VaO7vgFuEMaWNTL8MGt98UHsFNLldaRCSb45Cp54rejzySLn3ZgMVEKNyCx0D wyBqKi0lryfHRtH7aoGYAQR5HjEyNZhSFU+yMGOQ6GBAwX8fB5aBxoM8lbL5NOvLDl S2Gz4Ae01Oa0j/mOmq/g12vxwTygbE4SYSG/jINX5lMJzYkcxoNsr9UKno7t/lDfRj KZPQsuY74mSIQ== Received: from unknown by smtp-3-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4V8kQf2qZxz10x for ; Wed, 3 Apr 2024 14:22:18 +0200 (CEST) Message-ID: Date: Wed, 3 Apr 2024 14:22:18 +0200 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [gentoo-dev] Re: Current unavoidable use of xz utils in Gentoo To: gentoo-dev@lists.gentoo.org References: Content-Language: fr, en-US From: =?UTF-8?Q?K=C3=A9vin_GASPARD_DE_RENEFORT?= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Infomaniak-Routing: alpha X-Archives-Salt: 9834e767-123d-4338-a1d3-f67b59d5b290 X-Archives-Hash: 2aec11576b52a4dbdb2074f620a4136e > Helping with any of these three would certainly be reasonable. But > demanding a *LOT* of work to alternative-force an already attack-reverted > package, when we actually KNOW about that one, it's reverted to pre-attack > and there's likely to be no more mischief there /because/ everybody's > looking at it now, when it could have been any of a number of packages, > some of which might already be compromised and we just didn't happen to > find it, IMO really doesn't make much sense. Hello, After so much reading and seeing almost a dead-end to this talk and from this citation above I had an idea for OP. 1/ OP is sure that Gentoo and others distro *should* avoid using xz-utils, at all cost. (IMHO that is a respectable choice, *IF* it's possible without adding tremendous of works while Gentoo's dev could works on something else… Like being sure xz-utils is now safe to use…) 2/ Gentoo's dev stating that it's:     a) Non-required, to not say useless.     b) Would ask a lot of money to extend the infrastructure of Gentoo (two times the compressed file and the new non-xz would take like +30% in size…) and some works in addition for the systems administrators. As someone that had this job for some years, that is not always easy as it looks like and having more works is never fun while you already have some cooking… specially when you are not paid for this.     c) Would ask a *LOT* of works for Gentoo's devs, ebuild mainteneurs…     d) For, from Gentoos's dev opinion, something that only a very few users will actually use, without speaking about adding a layer of complexity in every process, from installing Gentoo or maintaining the packages. Looks like an awful jobs to be honest. If OP is really that sure that Gentoo's dev are having a cavalier attitude, non-thinking enough about security in this subject, while (sorry but that's true) not paying much respect to the works into the community (Gentoo and free software in general)… Well: Fork Gentoo, or any other distros, start a LFS… I mean, this is *free software* (as in freedom), what makes you not starting your own project with peoples sharing your point-of-view ? Some debian's user didn't liked the coming of SystemD, some made Devian (not even know if it's still around, but that is a simple example). Don't some *BSD distribution were borne for technical different point-of-view ? Yes, some did and are still here, since decades. I think, IMHO, you should try to see if peoples around are having the same philosophy as you, if you find a bunch of peoples having times and willing to do it. I suppose you have some knowledge, but I can only assume, maybe you don't have enough, could take years even if you have already these. Even more if you start from 0. If you are alone, you have two choices: 1/ Do like Slackware, create as a lone-wolf your own distribution. 2/ Accept the idea that your idea is maybe not true, or good. When a lot of peoples state that you are wrong, it doesn't means you are all the time. But at the same time, you were explained more than once that it's not a good idea, a really better way or they (Gentoo's dev) have other matter to take care of. Maybe Gentoo's dev are wrong. But in my case, I'll keep my side for the peoples that has proven theirs skills by their works. For more than 20 years, now. That is just my opinion. You don't like it ? Fork it, find an alternative OR accept your faith. Or change for a distribution sharing your opinion about that. PS : Sorry for my English. Regards, GASPARD DE RENEFORT Kévin