From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CF67A138334 for ; Wed, 5 Dec 2018 02:36:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6413AE0C4D; Wed, 5 Dec 2018 02:36:47 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 0FD0AE0C2A for ; Wed, 5 Dec 2018 02:36:46 +0000 (UTC) Received: from [192.168.1.7] (unknown [181.67.136.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: chrisadr) by smtp.gentoo.org (Postfix) with ESMTPSA id 0482D335CE9 for ; Wed, 5 Dec 2018 02:36:43 +0000 (UTC) Message-ID: <1543977395.2619.9.camel@gentoo.org> Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure From: Christopher =?ISO-8859-1?Q?D=EDaz?= Riveros To: gentoo-project@lists.gentoo.org Date: Tue, 04 Dec 2018 21:36:35 -0500 In-Reply-To: <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> References: <6137e99b-2995-0569-9d3d-250924fdf116@gentoo.org> <1d3c9d30-5570-de92-3da9-75bd33c02075@gentoo.org> <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-kG3RpA1QoLcRw528lqmN" X-Mailer: Evolution 3.26.6 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 X-Archives-Salt: 2db1d4d5-822f-4ca0-93e4-340552b8383d X-Archives-Hash: b51e7dd567a3bb48fdd7a4c748c9d9d2 --=-kG3RpA1QoLcRw528lqmN Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable El mar, 04-12-2018 a las 17:05 -0500, Michael Orlitzky escribi=C3=B3: > On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote: > >=20 > > I personally don't agree with part of this section; security is > > relative, and if it is stated to not be supported there are no security > > assumptions. If anything the removal of these arches as security > > supported demonstrates an active decisions not to support them, and > > signals to users of these arches that they can't depend on security > > information from Gentoo. Stable generally means a stable tree of > > dependencies, without security assumptions, if this is e.g used in a > > closed lab that likely doesn't impact much. > >=20 >=20 > This is technically correct, but: how many users even know what a=20 > security-supported arch is? I would guess zero, to a decimal point or=20 > two. Where would I encounter that information in my daily life? >=20 > If I pick up any software system that's run by professionals and that=20 > has a dedicated security team, my out-of-the-box assumption is that=20 > there aren't any known, glaring, and totally fixable security=20 > vulnerabilities being quietly handed to me. >=20 > Having a stable arch that isn't security-supported is a meta-fail... we= =20 > have a system that fails open by giving people something that looks like= =20 > it should be safe and then (when it bites them) saying "but you didn't= =20 > read the fine print!" It should be the other way around: they should=20 > have to read the fine print before they can use those arches. >=20 Or you could, as the GLEP states, try to give them the best set of packages= (to our knowledge) so that he/she does not need to read the fine print. That's = one of the main reasons I personally wanted to remove the "security supported l= ist" to a plain "stable =3D=3D secure (to the best of our knowledge)", which sho= uld accomplish the final goal: give the end-user something that is in both qa a= nd security the best possible output we can offer. Best regards, --=20 Christopher D=C3=ADaz Riveros Gentoo Linux Developer GPG Fingerprint: E517 5ECB 8152 98E4 FEBC 2BAA 4DBB D10F 0FDD 2547 --=-kG3RpA1QoLcRw528lqmN Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQGTBAABCgB9FiEE5Rdey4FSmOT+vCuqTbvRDw/dJUcFAlwHObNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEU1 MTc1RUNCODE1Mjk4RTRGRUJDMkJBQTREQkJEMTBGMEZERDI1NDcACgkQTbvRDw/d JUfj9ggAwvltuSsmrgaAAl7wbY+/2nnYV0923Ki0qgIhulpRlSiJn58B72NEATBL ZgEhcHVFQtDGMXo3qkTj01jFLbg0EBCHu4vBbSDDKiI8syPVABe2LSmTILpQCpvM 3yMMiwxHiBNv9HJrmI9SJVVBFIO7D/rSf8ujkGR/wZLnasb04jXOugyMsP4x9955 BuI908maUiv+VRYyW1YZBRDObjWH1eDYC0RDL2gXFHZNjj4/x4ebwIwyQu50ktHA Na47eZOVrXv5A6xzc80XF1yL+Yuf6tM/ksXcKReOYZIULoj82uDNmngVTyBtHiC3 NRykUV4KJy7sFWES80hiYp19fPhBdg== =Fo2d -----END PGP SIGNATURE----- --=-kG3RpA1QoLcRw528lqmN--