From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7FEFD138334 for ; Wed, 5 Dec 2018 03:47:10 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 196B6E0B9B; Wed, 5 Dec 2018 03:47:09 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D1D59E0B93 for ; Wed, 5 Dec 2018 03:47:06 +0000 (UTC) Received: from localhost (unknown [IPv6:2607:f2c0:f00e:f900:e2c3:b223:4669:2292]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: vdupras) by smtp.gentoo.org (Postfix) with ESMTPSA id 44B35335CC0; Wed, 5 Dec 2018 03:47:04 +0000 (UTC) Date: Tue, 4 Dec 2018 22:46:58 -0500 From: Virgil Dupras To: gentoo-project@lists.gentoo.org Cc: Michael Orlitzky Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure Message-Id: <20181204224658.e3ef5e97796e238120bc833d@gentoo.org> In-Reply-To: <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> References: <6137e99b-2995-0569-9d3d-250924fdf116@gentoo.org> <1d3c9d30-5570-de92-3da9-75bd33c02075@gentoo.org> <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> Organization: Gentoo X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.32; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="PGP-SHA256"; boundary="Signature=_Tue__4_Dec_2018_22_46_58_-0500_.li=LrYmwUGMETWE" X-Archives-Salt: 56fb311e-2ead-4584-a82e-bf05716da607 X-Archives-Hash: f13f9b500fb11c46faef2a88e533b533 --Signature=_Tue__4_Dec_2018_22_46_58_-0500_.li=LrYmwUGMETWE Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 4 Dec 2018 17:05:55 -0500 Michael Orlitzky wrote: >=20 > This is technically correct, but: how many users even know what a=20 > security-supported arch is? I would guess zero, to a decimal point or=20 > two. Where would I encounter that information in my daily life? >=20 > If I pick up any software system that's run by professionals and that=20 > has a dedicated security team, my out-of-the-box assumption is that=20 > there aren't any known, glaring, and totally fixable security=20 > vulnerabilities being quietly handed to me. >=20 > Having a stable arch that isn't security-supported is a meta-fail... we=20 > have a system that fails open by giving people something that looks like= =20 > it should be safe and then (when it bites them) saying "but you didn't=20 > read the fine print!" It should be the other way around: they should=20 > have to read the fine print before they can use those arches. >=20 I very much agree with this. If we end up deciding on keeping the "supported arches" system, I would like to propose that we also add a big red warning, on the download page of unsupported arches, that states that this can't be considered secure and that links to our Vulnerability Treatment Policy. I don't have arm systems anymore, but for a while I did and at the time, I wasn't aware at all of this situation. That's not fun and we probably have many arm users right now who are unknowingly running insecure systems. Regards, Virgil Dupras --Signature=_Tue__4_Dec_2018_22_46_58_-0500_.li=LrYmwUGMETWE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEzxAa2B+saKTW8nfCbgMDJWya24wFAlwHSjIACgkQbgMDJWya 24wq6wf+O6T/Nwt1z/tAmNX67R2DRrOUonjTGCzjUBLmGmx9WeQJ/8xMhNjL/9eq Jwamw8b8Z7ZezMqHgSAEyjGiKCW6A95lSA5tUZDdt2qetpFRU+VCmj0f6bW3lQFz QV0w0ecZw+eW1PgMP3Hx8Orb95CmeKCzG2TvHcYjsfdi6HlrRFgC/YD+XAq99K9y UfqiMSvdCgeKYMn+s71DMUVvLRLwDaglm655hlgX3twZcakdqsfnKipUT/ECrzIk gtc5lWTPlmggKiRT0T7UPDxK84VeCRArIjepYbbDd9BYIYnTFi79FUMGNqSONxKo JqwOVlyOUeSNvjjX6f4GjRBmvFlvbA== =JxnR -----END PGP SIGNATURE----- --Signature=_Tue__4_Dec_2018_22_46_58_-0500_.li=LrYmwUGMETWE--