On 4/1/24 3:57 AM, Eddie Chapman wrote: > No, I don't need to do that. I don't appreciate suggestions to "just calm > down", especially when I'm not being hysterical. Your comment to me just > reinforces what I mean when I say there is far too much of a cavalier > attitude.
I think you're making a big mistake by confusing "approach the issue with a calm and clearheaded approach, be methodical about how you analyze and react to trouble spots" with "everyone is being cavalier". But also, please keep in mind that 98% of all people on the internet can do whatever they want and it simply doesn't matter. They are public commentators at a three-ring circus and their cavalier or panicked attitudes change nothing. Well, they change one thing. It's hard for the security professionals at work to deal with things when they are constantly having to respond to the three-ring circus. > I stand by and reiterate my view that there is far too much of a cavalier > attitude towards the matter in general out there including here in Gentoo. > But not in particular here, it is everywhere where this is being discussed > at the moment. I don't care where this is being "discussed", scare quotes intentional. > But please think a little about what I mean when I say a "cavalier > attitude", and what it does NOT mean. It does not mean that a lot of > people are not working very hard to analyse and learn about this issue and > taking steps to try to mitigate it. It does not mean people are not well > intentioned, everyone wants to fix this. I have great appreciation and > admiration for a lot of fantastic work I see going on including by people > involved in Gentoo. But I believe it will only really be beneficial in the > far future, not right now. Please stop insulting the work of the people who are working very hard to analyze and learn about this issue and taking steps to try to mitigate it... > How are people in general being cavalier? By trying desperately to salvage > the situation with xz-utils above all else, by focussing too much on how > the original author of xz-utils and rallying round them (absolutely a > great thing to do but has absolutely nothing to do with what is good or > not good for users as a whole right now), there is too much clouded > judgment. There is more I could argue about why I use that word, but I > know by now that I am going against the grain of what the majority want > and it's not what people want to hear so I'm done, this discussion is now > a waste of everyone's time here including mine. ... by implying that people who are NOT part of that process "rallying around the original author" (an act of human compassion!!! which you admit is a good thing) is, somehow, detrimental to the process of working very hard to analyze and learn about this issue and taking steps to try to mitigate it. What does one have to do with the other? Why is it necessary to claim that based on some sort of vibe check "there is too much compassion going around in our communities, and this must mean that not enough effort is being expended on the technical and cleanup aspects"? ... Reading in between the lines, e.g. "trying desperately to salvage the situation with xz-utils", I suspect you are trying to subtly suggest that any second of time where gentoo hasn't yet removed xz-utils from gentoo as a dead end is "cavalier". Considering the fact that xz-utils is widely used and on the critpath for people to actually get work done, including to actually acquire extremely important software that already exists and must somehow be dealt with, I do indeed think that the situation needs salvaging and the community needs some form of xz decompressor. Fortunately, as you've agreed, we know the original xz-utils circa 2020 and before is trustworthy, so using that is viable and under discussion. I understand that you are passionate about your suggestion to make portage not validate distfile hashes. But I don't understand how you think it's a solution to the xz-utils problem. For a wide variety of reasons, but the simplest one is that your proposal has zero plan of action for solving this at the community level and is entirely designed to allow "lone wolf" users to use throwaway systems performing security-sensitive actions (decompressing and hosting distfiles) in a networked environment that has the xz-utils installed, to feed into other security-sensitive systems (daily drivers etc.) that don't, but do have to trust the artifacts produced by the former. It's not being cavalier when zero portage developers responded by saying "good idea I'll drop everything so I can get right on this and implement it". But if you are absolutely positive this is the right solution, I have an offer for you: implement this yourself, submit patches, and then we'll have something to talk about. -- Eli Schwartz
OpenPGP_0x84818A6819AF4A9B.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
