From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 926C3138334 for ; Tue, 4 Dec 2018 22:31:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7B25CE0D18; Tue, 4 Dec 2018 22:31:04 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 403BAE0CAA for ; Tue, 4 Dec 2018 22:31:04 +0000 (UTC) Received: from localhost (pool-108-45-63-132.washdc.fios.verizon.net [108.45.63.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 57AE2335CD9 for ; Tue, 4 Dec 2018 22:31:02 +0000 (UTC) Date: Tue, 4 Dec 2018 17:30:59 -0500 From: Aaron Bauman To: gentoo-project@lists.gentoo.org Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure Message-ID: <20181204223059.GN16376@monkey> References: <6137e99b-2995-0569-9d3d-250924fdf116@gentoo.org> <1d3c9d30-5570-de92-3da9-75bd33c02075@gentoo.org> <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="z3ovhOgMYmj8MRdq" Content-Disposition: inline In-Reply-To: <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> User-Agent: Mutt/1.11.0 (2018-11-25) X-Archives-Salt: ee56af6f-b90f-4fb5-bbf2-02d34fbf138e X-Archives-Hash: d500161165195594e4d6ce7f88874594 --z3ovhOgMYmj8MRdq Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 04, 2018 at 05:05:55PM -0500, Michael Orlitzky wrote: > On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote: > >=20 > > I personally don't agree with part of this section; security is > > relative, and if it is stated to not be supported there are no security > > assumptions. If anything the removal of these arches as security > > supported demonstrates an active decisions not to support them, and > > signals to users of these arches that they can't depend on security > > information from Gentoo. Stable generally means a stable tree of > > dependencies, without security assumptions, if this is e.g used in a > > closed lab that likely doesn't impact much. > >=20 >=20 > This is technically correct, but: how many users even know what a=20 > security-supported arch is? I would guess zero, to a decimal point or=20 > two. Where would I encounter that information in my daily life? >=20 > If I pick up any software system that's run by professionals and that=20 > has a dedicated security team, my out-of-the-box assumption is that=20 > there aren't any known, glaring, and totally fixable security=20 > vulnerabilities being quietly handed to me. >=20 > Having a stable arch that isn't security-supported is a meta-fail... we= =20 > have a system that fails open by giving people something that looks like= =20 > it should be safe and then (when it bites them) saying "but you didn't=20 > read the fine print!" It should be the other way around: they should=20 > have to read the fine print before they can use those arches. >=20 +1 Wonderfully put and I couldn't agree more! --=20 Cheers, Aaron --z3ovhOgMYmj8MRdq Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEiDRK3jyVBE/RkymqpRQw84X1dt0FAlwHACMACgkQpRQw84X1 dt2YTggApbqHWeP6Ess1xLdupkQVIL9lc1J7UydA80uzKt+H2aYkko4UcRrAn2tu QhYnq2A15TOpOKiRKTgE7PukmcyjOwVMs+4T3f0IwYUELozyfPw44q90/bLsxIIl XZGVKy9uSmDkzKrhNaqFM+euxjU9nXw6ohPIpyX3xc6XW4C14aBuGXIm6/6h6CiR /tZS1/GaeF+NUh9jVDXDGaMbqkx2+1xHEvAarGvXhNCdFXGCoxL0wfELvfiV/DEZ pOkbnQHet6nEEmlkC6lwX48tFzH1lFybmv8Ch4+ToaJcXt94LRWB67r8z9A4u6yf rYPdq/yN3CxwBRoZn3YfuS/yclEMTQ== =YJbk -----END PGP SIGNATURE----- --z3ovhOgMYmj8MRdq--