[gentoo-security] Let's wrap this up shall we...

[gentoo-security] Let's wrap this up shall we...

[Den]

by not giving our here friend's Peter the attention he so crave.

Obviously he has nothing better to do than to bait people into flaming 
him publicly or privately since it enables him the luxury of venting 
through his replies.

As my good ole mother use to say: "just be wiser than your nagging 
brother: ignore him, he'll eventually go away"

So let's ignore this problem and focus on the real one: coding ourselves 
the best portage tree signing Peter could not himself do while he blows 
his own little whistle on someone else's list.

On your mark, ready, filter :P

Denis Roy

--
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Let's wrap this up shall we...

[Thierry Carrez]

[-- Attachment #1: Type: text/plain, Size: 2239 bytes --]

Den wrote:

> by not giving our here friend's Peter the attention he so crave.
> 
> Obviously he has nothing better to do than to bait people into flaming
> him publicly or privately since it enables him the luxury of venting
> through his replies.
> 
> As my good ole mother use to say: "just be wiser than your nagging
> brother: ignore him, he'll eventually go away"
> 
> So let's ignore this problem and focus on the real one: coding ourselves
> the best portage tree signing Peter could not himself do while he blows
> his own little whistle on someone else's list.
> 
> On your mark, ready, filter :P

I think this thread wasn't completely useless. Hopefully it will help
speed up the implementation of the final and complete solution we've
underway since a long time.

This solution, nobody complained here it wasn't good. The only complaint
we heard was that it wasn't implemented fast enough. That's already a
big improvement... the last time this was brought up in gentoo-dev there
was another endless thread where everyone was telling THEIR solution was
the best. Good thing we finally reached consensus on what is the best
solution.

I'm pretty sure almost all Gentoo developers subscribed to this
particular list (gentoo-security) already do all they can so that this
final solution gets implemented the fastest possible. So yelling at
Gentoo developers here won't speed up anything. There are other
developers out there that don't think this is top-priority. They are the
one this thread should evangelize. And no, yelling at people is not the
best way to do evangelization.

This has been a long-term effort, and finally we're seeing good
progress, with portage signing support in 2.0.51 deployed. Having a
band-aid deployed as a temporary workaround while we're in the last
rounds will only delay further adoption of the one and real true
solution. If it's deployed, we'll have quite a bunch of devs saying
there is no need for them to create a package signing key since
everything is now "secure" thanks to this genius solution. It will
likely double the time needed for the final and complete (and auditable)
solution to be deployed.

Now that's a tradeoff.

-- 
Thierry Carrez
Operational Manager, Gentoo Linux Security

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]