Re: [gentoo-project] Re: [pre-glep] Security Project Structure

[Virgil Dupras <vdupras@gentoo.org>]

[-- Attachment #1: Type: text/plain, Size: 1492 bytes --]

On Tue, 4 Dec 2018 17:05:55 -0500
Michael Orlitzky <mjo@gentoo.org> wrote:

> 
> This is technically correct, but: how many users even know what a 
> security-supported arch is? I would guess zero, to a decimal point or 
> two. Where would I encounter that information in my daily life?
> 
> If I pick up any software system that's run by professionals and that 
> has a dedicated security team, my out-of-the-box assumption is that 
> there aren't any known, glaring, and totally fixable security 
> vulnerabilities being quietly handed to me.
> 
> Having a stable arch that isn't security-supported is a meta-fail... we 
> have a system that fails open by giving people something that looks like 
> it should be safe and then (when it bites them) saying "but you didn't 
> read the fine print!" It should be the other way around: they should 
> have to read the fine print before they can use those arches.
> 

I very much agree with this. If we end up deciding on keeping the
"supported arches" system, I would like to propose that we also add a
big red warning, on the download page of unsupported arches, that
states that this can't be considered secure and that links to our
Vulnerability Treatment Policy.

I don't have arm systems anymore, but for a while I did and at the
time, I wasn't aware at all of this situation. That's not fun and we
probably have many arm users right now who are unknowingly running
insecure systems.

Regards,
Virgil Dupras

[-- Attachment #2: Type: application/pgp-signature, Size: 488 bytes --]