Rich, Core should be fine to have a system that at least boots. And security still tracks ~arch's to get the system secured by removing vulnerable packages as time permits.
We can not have an arch though blocking the security of the whole distribution because we can not call for cleanup or release the GLSA, waiting for a stabilization of a non-core package, while the actual package has been in a tree in ~arch status for weeks or months. If we limit the stable packages to only those that are required for core OS boot, then the stabilization of the limited packages should be quicker. On 5/8/17 6:48 AM, Rich Freeman wrote: > On Mon, May 8, 2017 at 9:21 AM, Thomas Deutschmann <whi...@gentoo.org> wrote: >> >> It isn't like security project adds any additional load to any arch >> team, an architecture capable to keep up with normal keyword and >> stabilization requests should also be able to keep up with security. > > What about arches that use stable keywords only on a core set of > system packages to indicate that they're usable, so that they can have > a stage3 that actually boots? I'm not sure they even keep up with > security in this case. > > Perhaps they could just use ~arch for the same purpose, but then we'd > need to have a policy that REMOVES ~arch when doing bumps on those > architectures, which is not our current practice. Otherwise a revbump > could break stage3 on those arches. > > I'm not sure that stable+secure is necessarily a black-and-white thing > on our non-mainstream arches. Honestly, I think that people who want > to run linux on MIPS/sparc/etc are probably happy enough just to have > something that boots. >
signature.asc
Description: OpenPGP digital signature
