On Fri, Jan 3, 2020 at 11:28 AM Aaron Bauman <b...@gentoo.org> wrote: > On January 3, 2020 9:55:31 AM EST, Michael Orlitzky <m...@gentoo.org> wrote: > >On 1/3/20 9:52 AM, Michael Orlitzky wrote: > >> > >> But here we are. Do we make OpenRC Linux-only and steal the fix from > >> systemd? Or pretend to support other operating systems, but leave > >them > >> insecure? > >> > > > >Or the gripping hand: rewrite opentmpfiles in C, so that it's only as > >insecure as checkpath. > > > >Every option sucks. I was only trying to point out that vanilla-sources > >gets no security support -- security@ has stated this, but it's on a > >private bug, so I won't quote it -- and the risk is more than academic. > > This should be known. Security does not support vanilla-sources. This is one > reason vanilla-sources are not stabilized. >
Packages without security support should be masked. Really I don't see the point of even having this in the repo. I run vanilla sources personally but I just get them from upstream. Makes way more sense than worrying about whether the version in the repo is up to date for the longterm kernel I'm following. People running vanilla sources are probably using out-of-tree modules (like me) and as such are going to have particular requirements around how they're updated. So, Gentoo is adding fairly little value. All they do is download sources anyway, which is trivially done from git more efficiently (or tarballs that are probably easy to obtain just as efficiently). I can see more of the point in the new distribution kernel project which will be turnkey. I can see some of the value in gentoo-sources (particularly as the upstream for the distribution kernels) especially if they're tied to Gentoo-specific bugs. For more general bugs that apply to all distros I really don't see the point in trying to compete with the upstream stable branches (if they're taking forever to merge a patch, chances are there is a reason for it, and I'm skeptical that Gentoo users are special in some way). Is there some reason that we should keep vanilla sources despite not getting security handling? -- Rich
