From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 758F8138334 for ; Tue, 4 Dec 2018 22:17:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 51780E0D7F; Tue, 4 Dec 2018 22:17:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 03AA1E0D7F for ; Tue, 4 Dec 2018 22:17:18 +0000 (UTC) Received: from [10.100.0.26] (host-37-191-231-105.lynet.no [37.191.231.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: k_f) by smtp.gentoo.org (Postfix) with ESMTPSA id 116FE335CD9; Tue, 4 Dec 2018 22:17:16 +0000 (UTC) Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure To: gentoo-project@lists.gentoo.org, Michael Orlitzky References: <6137e99b-2995-0569-9d3d-250924fdf116@gentoo.org> <1d3c9d30-5570-de92-3da9-75bd33c02075@gentoo.org> <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> From: Kristian Fiskerstrand Openpgp: preference=signencrypt Autocrypt: addr=k_f@gentoo.org; prefer-encrypt=mutual; keydata= xsFNBEdj//4BEAC3zjKRryW1mLec38x0w9ByG50h6KJddkZe3UNdGhAa3S5E4NAi/fUoe3gD LUDDmpHZNqtbMgrobwUNjLrp+PDZNdMJFAnbWXvmsMwuax0SWJzy4alem34tvir3a2PpnVr9 ylyAyxPChMM0ANelT/fiYIEysjAbHXjri89qdT+yA16CMljoun7vIOmq7ohKdNd1Dci6qoyj 0NllvR2AiBI+ZJnoF4hkRKO1PNUJROzn/ku88idaNkWyq7rREI+WkhS+K6xg1R/d6mTp+bHP tmwGlN4U1Lgx9qeitYzirkQeA8EGK/EEPPZG85WvXSrTftoPvQswOtW7I+jkTdd30GHXf6JH Rq4oR0mT65mqckycPjXNw6RM0fxyx06/kbVG8x3tzc3roJF+hR+h5QWIWsQOc3ZAhbJPWnfP D/kEN20yvb6EXWha+70QJbrBsnN0M8MLF7x+ZWTKESOVpshUBG67iq/FWCpv3st2VTq4M0Ep b/ORIKlfEgSsGv6waooF0ik41ey3k6PIcuHTq/sCoFoC6EH75wqsbmLkVSyqTKm3MSjlN26d ei425iCXJSyH0L1WmeS0i0rzcF5BCu9V280DmNFHWkr4iHiyrVcNyccocMTeh6/ZG7XSI0wc TONVNnKtofVHkzwHMdDlDx4lFRG+V0ftimR5THlxtG8AzQKY9QARAQABzUJLcmlzdGlhbiBG aXNrZXJzdHJhbmQgPGtyaXN0aWFuLmZpc2tlcnN0cmFuZEBzdW1wdHVvdXNjYXBpdGFsLmNv bT7CwX8EEwEIACkCGwMCHgECF4ACGQEFCwkIBwMEFQoJCAUWAgMBAAUCWiWhXAUJFMX2sgAK CRALf4tg4+364/YeEACSDL8stCAArMoqgXlTAdAKQFedJHyoS2QFVzuLx+k7CCGt0jVrNh3d HRQ92pF2QJScWKw76/LHvh6lMBPJwBEXRIvQNDNUb/zyBx96FipC+Dkd8Fxu3s4W+6YCqUBa lmC5XKB6uF/W5wanvpAn1K8bvUb3sq86RYTD0qZui4LMhvm8A0A1Na4+ZeGyfBFhcH5Oh+nh wkZjL7mbMTe25QCeCs4wQpYowia70EZLcQF4MboF9GzH5PIb0ipG5Jtfk9QfSlT+bnkRL1KR DR6rHo7iAYcMt4oJVU1qo1akSBe0MsMI37OdWDtNvUy2Svd2BCLZl49KZnErleC3R/axrtkL 2w1f0P4FoiuPq7mPeiUBhLaZLlc2fz490cEwjsgsY6GuiCWlbyjBMtp0OKM4VBqt5tdxBo/R X5Y6kNOGWpDHx8D+Dl8ToTDJuH2I0k2wfcUibYzWfwXpPpwZ5iXidwLYXbBQ2qqlyB7MP3Po z3zl+UulJyxIYGjg2sO4FmmRs0tThceaNIiDtP5uPLu77oCkAAsWuFSfa6Iwq9+PIQTqTFhH nJ1v/xrdqKWSYB6tm9Tkb0KkUKxFhc7QVyphvh473UEAQ78bQFWrGHqiejQtiiR3MOubwUyt YkNi+ef068rs27SPfRmBAvRw2EMZWhWyX/P2xM4PPp24reOn4ZuAAM7ATQRVZfyNAQgAvppy gWUI21WpA8IZZC+HXywKOqAIXgEQG8m62kVE048A8gjwk8vcmDKU0vlD6OGZ0capeWzWK5kN Gi8kl4ejvgULXKQCAV8ycEUWXmBSmzabhGruMY96Hy1OILc9tb3Wpg3wggW+PZjc5IuLIa1k 9AiDg6SQExDhC27x1EUKZkxkIG+EThSKHbCFB3t4tbwlI8Na4LUfjOxCILA2KVl7CXD/eUNr apJeSGJOtYEhgNFhuHoSG7Po9k6cy2eRrviq9X9cEW10Y3ocCypKvenuUjrN4bUd0IUsODLy cZ3aL+zEmIdhZsG7dQeFmFeJKK+XDgLIMNgr+EP9+89U/COZ5QARAQABwsFlBBgBCAAPAhsM BQJaJaF0BQkGw/ojAAoJEAt/i2Dj7frjgbYQAIYDkXvyczRVnEZloYQbHsqjGwekWXTkTk74 yYF5U+GoGGzbdFAmF2FhhWxlwIoPLtWoUXmdBknyqtAHCIlYrqPi0fsY6SdIU3qdDDESjR9g ixoPKOP5pFRC3KsPn0MNUXElbkdHvn0YSjuj0GdBi8YUa1XGRNW/O8PH4HP900OipflQhuEC 3yI5AYiq+Grd80RzJg8F108bn8YmoHapV5zZGfzp5L3pHCNOGsBlpTDrQA3XvlKti3AujaF8 8Nq3tj5kTsj73I30WOctGH3d9QWdySuK5RekAYvMSHU7M9oHtwV9dfVdRFbbuP4fhf+yF56S yu0k7jGe8e0d1xshwOMIXu8/3z4hYOpPfAvkl7n3QNHeqtT1KwRYqCCwKeK8pKZZlsBJ3D6X PuEZyTc/JIiZr8yALslTYubCCNyYQj7fByxM7neVPPaciNhbkGHImwfJGPBSEuP/UXciroUc rvwwGfY76+WvezaU+O3SLcrT9i+emo9uA14Syb51RWz8h/x55Yu2UpONhArhearvW+0kJBx/ YzG0Us7TLMNAiiQYlGibMmaBgRWW33vMXWT9H3FIN8L1NI/Qvy3/N0zDHawUOUvVMNtAzbWe xFtxXQ7zyxLUBHHhFdezpWyXmm71qEaOMdDLnTwLqv3ENHUfZzmCc2KtZjTX0qrgBQD08nPn Message-ID: <6e4144f5-e69a-96ea-4ce7-717d1f85376b@gentoo.org> Date: Tue, 4 Dec 2018 23:17:01 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 In-Reply-To: <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ypYHcSNGMwlytsinAfYhIYR19XMgF8W73" X-Archives-Salt: 939341c3-6b88-49d1-8dc4-cc635c0b2b44 X-Archives-Hash: 3da180f903493fb21bc8f79e9b04e2ad This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ypYHcSNGMwlytsinAfYhIYR19XMgF8W73 Content-Type: multipart/mixed; boundary="o8JWLE6TpEmpAeivjYm5iibChyMSqI76e"; protected-headers="v1" From: Kristian Fiskerstrand Reply-To: k_f@gentoo.org To: gentoo-project@lists.gentoo.org, Michael Orlitzky Message-ID: <6e4144f5-e69a-96ea-4ce7-717d1f85376b@gentoo.org> Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure References: <6137e99b-2995-0569-9d3d-250924fdf116@gentoo.org> <1d3c9d30-5570-de92-3da9-75bd33c02075@gentoo.org> <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> In-Reply-To: <21194272-4039-e473-8f57-426021fb24b7@gentoo.org> --o8JWLE6TpEmpAeivjYm5iibChyMSqI76e Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 12/4/18 11:05 PM, Michael Orlitzky wrote: > On 12/4/18 4:05 PM, Kristian Fiskerstrand wrote: >> >> I personally don't agree with part of this section; security is >> relative, and if it is stated to not be supported there are no securit= y >> assumptions. If anything the removal of these arches as security >> supported demonstrates an active decisions not to support them, and >> signals to users of these arches that they can't depend on security >> information from Gentoo. Stable generally means a stable tree of >> dependencies, without security assumptions, if this is e.g used in a >> closed lab that likely doesn't impact much. >> >=20 > This is technically correct, but: how many users even know what a > security-supported arch is? I would guess zero, to a decimal point or > two. Where would I encounter that information in my daily life? >=20 > If I pick up any software system that's run by professionals and that > has a dedicated security team, my out-of-the-box assumption is that > there aren't any known, glaring, and totally fixable security > vulnerabilities being quietly handed to me. >=20 > Having a stable arch that isn't security-supported is a meta-fail... we= > have a system that fails open by giving people something that looks lik= e > it should be safe and then (when it bites them) saying "but you didn't > read the fine print!" It should be the other way around: they should > have to read the fine print before they can use those arches. Well, in terms of CVEs the documentation matters quite a bit, the question isn't necessarily what any user would do ... but what a reasonable user would do.. and a reasonable user would consider the documented practices of a project. --=20 Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 --o8JWLE6TpEmpAeivjYm5iibChyMSqI76e-- --ypYHcSNGMwlytsinAfYhIYR19XMgF8W73 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEtOrRIMf4mkrqRycHJQt6/tY3nYUFAlwG/N0ACgkQJQt6/tY3 nYV9pQf9FU6cxV+uMkgUlyD9aNFKG+oJ0dwD91HSAic7A3do9pT6BCcnr9uEID5k y4rP7dt3/UDNwk0LvYkBLGcdSgoLG+0KC1Mehxc1ZYovC213tf5lMtHAEUGDanLW 0vKMaOrpvkRiNKNysrJtk+8VsO/OTKwi+QMwvZgocrBNGu6/NhI7+KEUtWrIZyTw HJrYNt6DqCB+vB9e+j9Cg4oS4xj794BqFjgqq+kAT+2jwB4kgPHRNIDYGmfG9MhN yjPejk7Vka0DNH/enwrhM5YSZU+RMGlCXd5w5BzHxR5RilS4FO7TwBcMA1WlCb+8 PpUyh1uecfLaNjt1fEkhuyvp2uq0Cg== =D+X4 -----END PGP SIGNATURE----- --ypYHcSNGMwlytsinAfYhIYR19XMgF8W73--