From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id DE2D2138334 for ; Tue, 4 Dec 2018 01:29:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9EB22E0935; Tue, 4 Dec 2018 01:29:37 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4BCEFE0930 for ; Tue, 4 Dec 2018 01:29:37 +0000 (UTC) Received: from localhost (pool-108-45-63-132.washdc.fios.verizon.net [108.45.63.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 49C7E335C38 for ; Tue, 4 Dec 2018 01:29:35 +0000 (UTC) Date: Mon, 3 Dec 2018 20:29:32 -0500 From: Aaron Bauman To: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] Re: [gentoo-dev-announce] Call for agenda items - Council meeting 2018-12-09 Message-ID: <20181204012932.GL16376@monkey> References: <1543149110.17973.1.camel@gentoo.org> <2a393e89-3156-9666-de46-2faf2fd1f7e3@gentoo.org> <20181204001604.GK16376@monkey> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Ms5iOKSBOB9YS8zC" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.11.0 (2018-11-25) X-Archives-Salt: adb46d48-337a-4615-be37-f96e2ef6895e X-Archives-Hash: 2a5b4aba1b27f3516f37239cb70f72ee --Ms5iOKSBOB9YS8zC Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 04, 2018 at 12:39:07AM +0000, M. J. Everitt wrote: > On 04/12/18 00:16, Aaron Bauman wrote: > >> On 25.11.2018 15:31, Mart Raudsepp wrote: > >>> In two weeks from now, there will be a council meeting again. Now is > >>> the time to raise and prepare agenda items that you want us to discuss > >>> and/or vote upon. > >>> > >>> Please respond to this message on the gentoo-project mailing list with > >>> agenda items. > >>> The final agenda will be sent out on 2018-12-02, so please make sure > >>> you post any agenda items before that, or we may not be able to > >>> accommodate it into the next meeting. > >>> > >>> The meeting itself will happen on 2018-12-09 19:00 UTC [1] in the > >>> #gentoo-council FreeNode IRC channel. > >>> > >>> > >>> 1. https://www.timeanddate.com/worldclock/fixedtime.html?iso=3D201812= 09T19 > >>> > >>> > >>> Thanks, > >>> Mart Raudsepp > > I would like to propose, once again, that the council vote on the > > following items: > > > > 1. The council approves all architectures that are maintained as stable > > architectures. > > - e.g. alpha, amd64, arm, arm64, ia64, ppc, ppc64, and x86. > > > > Conversely, the council also may remove/drop such architectures as > > needed (c.f. item 2). > > > > 2. The council approves that all stable architectures are subsequently > > determined to be security supported. Thus, an architecture may not be > > stable and *not* security supported. This disparity has implications in > > processes and timeliness of actions taken to mitigate vulnerabilities > > reported. > > - e.g. amd64 is approved as stable arch and thus is security supported. > > - e.g. arm is dropped as a stable arch thus is no longer security supp= orted. > > > > Overall, both of these items will provide a much clearer understanding > > of how security is able to proceed with mitigating vulnerabilities in > > the tree, how users view and understand what architectures are stable > > and security supported, and allow the security team and maintainers a > > clearer/cleaner process to follow. > > > > Standing by to answer RFI's. > > > > -- > > Cheers, > > Aaron > By all means correct me if I'm wrong, but my understanding was that a > stable *arch* meant that there was a consistent dependency tree, and this > was maintained to ensure there was some integrity to that arch's packages. Correct. Which directly correlates to how the security team and maintainers are able to proceed with security related matters. Very simply put: Vulnerability Identified->Package patched/bumped->Stabilization occurs->Vulnerable package (read... ebuild) is removed->GLSA issued if required->Bug closed. > It had/has nothing to do with security-supported which was another separa= te > classification entirely. >=20 Correct. Historically, it has been treated separately, but due to the previous statement above it is quite interdependent. > I see merit in simplifying the categorisation of arch package sets, but I= 'm > not sure this particular change/proposal will serve much of a purpose, > other than further reinforcing that amd64 is the only arch that Gentoo > officially supports; and sets the wheels in motion for eventual bitrot of Our intent is not bitrot of any arch. Many "alt-arches" (uncommon/exotic... pick a description) keep up just fine... if not exceed more common arches. > anything else, streamlining the way for deprecation and treecleaning > anything which is not relevant for amd64 arch. > Please clarify that this is not, and will not be the case with this > policy/proposal. > This is *not* the case and will never be the case for this proposal. I don't believe anyone would vote/recommend such a thing if an arch is capable of being supported. --=20 Cheers, Aaron --Ms5iOKSBOB9YS8zC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlwF2HwACgkQpRQw84X1 dt0tNgf+Lg1VTF3SbueIHoYgGF9enHbP7+/8b0uN+5Op8hKhJXND8fLFde5gKitV UubRxvZtzlZuYUfnfSEGJ/g//CFZ11BN7AyRzK7vsOewdzdwTALwqcKllj834Mti dd/3xuv6L1d2Hwo9aUeGbAGtVAjpdcxl+5lI3bakFa/rPNBxqWCzGnHibGoTGSqr zz0oP5Q1XX6+9ITaw8+OmpZTrzy8sGYVmlEd4LR4dY58qoTrjlTcW42bskg2BxDo OM8YbQm4cZGpU6IsT1g1/jSn9CY3UYd6jJ86fXjxXlj3Q/Awmf35tVkWv4CktnDI izHYConJec5nS9WK4hby0EOMHvgEtQ== =avsa -----END PGP SIGNATURE----- --Ms5iOKSBOB9YS8zC--