On Wed, Jan 4, 2017 at 12:23 AM, Rich Freeman <ri...@gentoo.org> wrote: > On Tue, Jan 3, 2017 at 9:57 AM, Michael Mol <mike...@gmail.com> wrote: >> >> For security's sake, even mature software needs, at minimum, routine >> auditing. >> Unless someone's doing that work, the package should be considered for >> removal. (Call that reason # π, in honor of TeX.) >> > > Are you suggesting that we should ban any package from the tree if we > don't have evidence of it having recently being subjected to a > security audit? We might literally have 3 packages left in the tree > in that case, probably not including the kernel (forget the GNU/Linux > debate, we might be neither). > > The fact that a project gets 47 commits and 100 list posts a week > doesn't mean that it is being security audited, or that security is > any kind of serious consideration in how their workflow operates. > > I tend to be firmly in the camp that a package shouldn't be removed > unless there is evidence of a serious bug (and that includes things > blocking other Gentoo packages). If somebody wants to come up with a > "curated" overlay or some way of tagging packages that are considered > extra-secure that would be a nice value-add, but routine auditing is > not a guarantee we provide to our users. The lack of such an audit > should not be a reason to treeclean.
+1 > > -- > Rich > -- アリス フェッラッシィ Alice Ferrazzi Gentoo, If it moves, compile it! My_overlay: https://github.com/aliceinwire/overlay Gentoo Euscan: http://goo.gl/YNbU3h Mail: Alice Ferrazzi <ali...@gentoo.org> PGP: 2E4E 0856 461C 0585 1336 F496 5621 A6B2 8638 781A
