On 05.12.2018 6:46, Virgil Dupras wrote: > On Tue, 4 Dec 2018 17:05:55 -0500 > Michael Orlitzky wrote: > >> This is technically correct, but: how many users even know what a >> security-supported arch is? I would guess zero, to a decimal point or >> two. Where would I encounter that information in my daily life? >> >> If I pick up any software system that's run by professionals and that >> has a dedicated security team, my out-of-the-box assumption is that >> there aren't any known, glaring, and totally fixable security >> vulnerabilities being quietly handed to me. >> >> Having a stable arch that isn't security-supported is a meta-fail... we >> have a system that fails open by giving people something that looks like >> it should be safe and then (when it bites them) saying "but you didn't >> read the fine print!" It should be the other way around: they should >> have to read the fine print before they can use those arches. >> > I very much agree with this. If we end up deciding on keeping the > "supported arches" system, I would like to propose that we also add a > big red warning, on the download page of unsupported arches, that > states that this can't be considered secure and that links to our > Vulnerability Treatment Policy. > > I don't have arm systems anymore, but for a while I did and at the > time, I wasn't aware at all of this situation. That's not fun and we > probably have many arm users right now who are unknowingly running > insecure systems. > > Regards, > Virgil Dupras The "stable" definition within the security project is ridiculous and has to be clarified. Stable == "once stable arches are stabilised we can send a GLSA". It does not mean that so-called "security unstable" arches do not get stable updates.