On 2020-04-07 12:35, Alessandro Barbieri wrote: > What about moving all of these binary-only packages in an official overlay > (made for the scope) or in GURU?
And which problem is that going to solve? Do we want to tell world, "Look! Gentoo is the most secure distribution! We have zero vulnerabilities*!" *Because we move vulnerable packages to an overlay! Please, don't get me wrong. But the whole thread looks like pure activism to me. It looks like most people don't understand any details but have the feeling "but we must do *anything*". This ignores the fact, that most discussed issues in Zoom for example are found/caused by the installer. Something we don't have in the Linux version. Or requires write access into Zoom application directory which also doesn't affect us (this is BTW a can Google opened years ago when they tried to get market shares and were looking for a way to allow users to just install their software without asking their IT department. Since then it became 'normal' to install software in user profile. The problem: This allows any user process to modify these files, plant exploits to abuse vulnerable loaders and stuff like that you don't have when you do proper ACLs). Regarding bin/non-bin: Software has bugs. Some software tends to have more issues. Just because we have the source code and compile software on user's system doesn't make the application itself more secure than the provided binary package. -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5
signature.asc
Description: OpenPGP digital signature
