Re: [gentoo-project] Re: [pre-glep] Security Project Structure

["Christopher Díaz Riveros" <chrisadr@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 2126 bytes --]

El mar, 04-12-2018 a las 17:05 -0500, Michael Orlitzky escribió:
> On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote:
> > 
> > I personally don't agree with part of this section; security is
> > relative, and if it is stated to not be supported there are no security
> > assumptions. If anything the removal of these arches as security
> > supported demonstrates an active decisions not to support them, and
> > signals to users of these arches that they can't depend on security
> > information from Gentoo. Stable generally means a stable tree of
> > dependencies, without security assumptions, if this is e.g used in a
> > closed lab that likely doesn't impact much.
> > 
> 
> This is technically correct, but: how many users even know what a 
> security-supported arch is? I would guess zero, to a decimal point or 
> two. Where would I encounter that information in my daily life?
> 
> If I pick up any software system that's run by professionals and that 
> has a dedicated security team, my out-of-the-box assumption is that 
> there aren't any known, glaring, and totally fixable security 
> vulnerabilities being quietly handed to me.
> 
> Having a stable arch that isn't security-supported is a meta-fail... we 
> have a system that fails open by giving people something that looks like 
> it should be safe and then (when it bites them) saying "but you didn't 
> read the fine print!" It should be the other way around: they should 
> have to read the fine print before they can use those arches.
> 

Or you could, as the GLEP states, try to give them the best set of packages (to
our knowledge) so that he/she does not need to read the fine print. That's one
of the main reasons I personally wanted to remove the "security supported list"
to a plain "stable == secure (to the best of our knowledge)", which should
accomplish the final goal: give the end-user something that is in both qa and
security the best possible output we can offer.

Best regards,
-- 
Christopher Díaz Riveros
Gentoo Linux Developer
GPG Fingerprint: E517 5ECB 8152 98E4 FEBC  2BAA 4DBB D10F 0FDD 2547

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 636 bytes --]