From: Mikle Kolyada <zlogene@gentoo.org>
To: gentoo-project@lists.gentoo.org
Subject: Re: [gentoo-project] Re: [pre-glep] Security Project Structure
Date: Wed, 5 Dec 2018 18:02:33 +0300 [thread overview]
Message-ID: <e08ac462-96d0-f17f-21e1-23bfdae42e11@gentoo.org> (raw)
In-Reply-To: <20181204224658.e3ef5e97796e238120bc833d@gentoo.org>
[-- Attachment #1.1: Type: text/plain, Size: 1833 bytes --]
On 05.12.2018 6:46, Virgil Dupras wrote:
> On Tue, 4 Dec 2018 17:05:55 -0500
> Michael Orlitzky <mjo@gentoo.org> wrote:
>
>> This is technically correct, but: how many users even know what a
>> security-supported arch is? I would guess zero, to a decimal point or
>> two. Where would I encounter that information in my daily life?
>>
>> If I pick up any software system that's run by professionals and that
>> has a dedicated security team, my out-of-the-box assumption is that
>> there aren't any known, glaring, and totally fixable security
>> vulnerabilities being quietly handed to me.
>>
>> Having a stable arch that isn't security-supported is a meta-fail... we
>> have a system that fails open by giving people something that looks like
>> it should be safe and then (when it bites them) saying "but you didn't
>> read the fine print!" It should be the other way around: they should
>> have to read the fine print before they can use those arches.
>>
> I very much agree with this. If we end up deciding on keeping the
> "supported arches" system, I would like to propose that we also add a
> big red warning, on the download page of unsupported arches, that
> states that this can't be considered secure and that links to our
> Vulnerability Treatment Policy.
>
> I don't have arm systems anymore, but for a while I did and at the
> time, I wasn't aware at all of this situation. That's not fun and we
> probably have many arm users right now who are unknowingly running
> insecure systems.
>
> Regards,
> Virgil Dupras
The "stable" definition within the security project is ridiculous and
has to be clarified.
Stable == "once stable arches are stabilised we can send a GLSA". It
does not mean
that so-called "security unstable" arches do not get stable updates.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
next prev parent reply other threads:[~2018-12-05 15:02 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-04 20:55 [gentoo-project] [pre-glep] Security Project Structure Kristian Fiskerstrand
2018-12-04 21:05 ` [gentoo-project] " Kristian Fiskerstrand
2018-12-04 22:05 ` Michael Orlitzky
2018-12-04 22:17 ` Kristian Fiskerstrand
2018-12-04 22:23 ` Michael Orlitzky
2018-12-04 22:35 ` Aaron Bauman
2018-12-04 22:30 ` Aaron Bauman
2018-12-05 9:12 ` M. J. Everitt
2018-12-05 2:36 ` Christopher Díaz Riveros
2018-12-05 3:46 ` Virgil Dupras
2018-12-05 15:02 ` Mikle Kolyada [this message]
2018-12-06 22:41 ` Alec Warner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e08ac462-96d0-f17f-21e1-23bfdae42e11@gentoo.org \
--to=zlogene@gentoo.org \
--cc=gentoo-project@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox