W dniu nie, 20.08.2017 o godzinie 00∶39 -0500, użytkownik R0b0t1 napisał: > On Sat, Aug 19, 2017 at 6:34 AM, Francisco Blas Izquierdo Riera > (klondike) <klond...@gentoo.org> wrote: > > El 19/08/17 a las 13:18, Aaron W. Swenson escribió: > > > On 2017-08-19 13:01, Francisco Blas Izquierdo Riera (klondike) wrote: > > > > El 19/08/17 a las 12:37, Aaron W. Swenson escribió: > > > > > On 2017-08-15 17:01, Francisco Blas Izquierdo Riera (klondike) wrote: > > > > > > Hi! > > > > > > > > > > > > I'd like to get this one up by Saturday so that we can proceed with > > > > > > masking and removing of the hardened-sources after upstream stopped > > > > > > releasing new patches. > > > > > > > > > > I hope I’m not too late. > > > > > > > > > > > We'd like to note that all the userspace hardening and MAC support > > > > > > for SELinux provided by Gentoo Hardened will still remain there and > > > > > > is unaffected by this removal. > > > > > > > > > > Where is there? I think you’re talking about the packages, but the > > > > > news > > > > > item is about the kernels. It would help to be more specific here. > > > > > > > > > > That’s all I had that the others hadn’t touched on. > > > > > > > > Do you think something like that is better then? > > > > > > > > We'd like to note that all the userspace hardening and MAC support > > > > for SELinux provided by Gentoo Hardened will still remain available > > > > on the portage. Keep in mind though that the security provided by > > > > these features will be weakened a bit when using > > > > sys-kernel/gentoo-sources. Also, all PaX related packages other than > > > > the hardened-sources will remain available for the time being. > > > > > > > > > > > > > > Much better. We should mention that we’re specifically discussing > > > packages and not portage itself. At least, that’s my understanding from > > > your edit. > > > > > > Here’s my take on it: > > > > > > We'd like to note that all the userspace hardening and MAC support for > > > SELinux provided by Gentoo Hardened will still remain in the packages > > > found in portage. Keep in mind, though, that the security provided by > > > these features will be weakened a bit when using > > > sys-kernel/gentoo-sources. Also, all PaX related packages, except > > > sys-kernel/hardened-sources, will remain available for the time being. > > > > I updated the news item with your propossal. Thanks a lot :) > > > > The discussion is nice but no one has actually touched on the > technical merits of removing the packages besides "they are old." > There's plenty of old software in portage. Why not remove it first?
Please select some, and I'll be happy to treeclean it ASAP. > I had a similar issue with the GCC developer who removed GCJ support. > I asked him for any justification at all for the removal and he had > none but some vague statements about it creating work. I would have > taken any more specific example he gave at face value, but he didn't > want to give one. I was left to conclude he didn't have one to give. > > So I ask again: On what basis are the hardened sources being removed > from the tree? Old kernel versions are a natural vulnerability targets. Even if they are not vulnerable at the moment, they surely will be soon enough. > At this point I am far less interested in making sure the sources stay > in the tree than I am in forcing you to justify your actions, because > I suspect your attempt to do so will be entertaining. > This is called inappropriate behavior and in a civilized distribution it should result in disciplinary action. However, that's just my opinion and I'm free to express it just as you are free to express yours. -- Best regards, Michał Górny
