From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5C4601396D0 for ; Sun, 20 Aug 2017 09:31:41 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 007E0E0F20; Sun, 20 Aug 2017 09:31:36 +0000 (UTC) Received: from blaine.gmane.org (unknown [195.159.176.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 9CC65E0F19 for ; Sun, 20 Aug 2017 09:31:35 +0000 (UTC) Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1djMZn-0005Ji-5m for gentoo-dev@lists.gentoo.org; Sun, 20 Aug 2017 11:31:23 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] Re: New item for sys-kernel/hardened-sources removal Date: Sun, 20 Aug 2017 09:31:13 +0000 (UTC) Message-ID: References: <20170819103741.GB7666@martineau.grandmasfridge.local> <47bb3f3f-fcdf-aace-faba-d913fccaab8e@gentoo.org> <20170819111820.GC7666@martineau.grandmasfridge.local> <04b1f829-48fd-da30-4770-03ddc297b712@gentoo.org> <1503215634.2055.1.camel@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@blaine.gmane.org User-Agent: Pan/0.143 (Quaint little villages here and there; 720a1c5b3) X-Archives-Salt: 8983bf6b-2149-49c7-90d9-15e13f06f9d3 X-Archives-Hash: badd0d091864e4ddf0523624858cc4f8 Michał Górny posted on Sun, 20 Aug 2017 09:53:54 +0200 as excerpted: > W dniu nie, 20.08.2017 o godzinie 00∶39 -0500, użytkownik R0b0t1 > napisał: >> >> The discussion is nice but no one has actually touched on the >> technical merits of removing the packages besides "they are old." >> So I ask again: On what basis are the hardened sources being removed >> from the tree? > > Old kernel versions are a natural vulnerability targets. Even if they > are not vulnerable at the moment, they surely will be soon enough. This. Hardened-sources isn't just some generic package, where perhaps masking it as vulnerable but leaving it in the tree for those wishing to use it for its primary purpose /despite/ vulns, might arguably be justified. In this case, that "primary purpose" *is* resistance to attack, and leaving old and now unsupported versions in the tree when they're guaranteed to be increasingly vulnerable to new attacks is simply irresponsible, with no logical argument that can be made otherwise, thus the removal. Were it any other package, with any other primary purpose... but it's not. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman