OK, I said I was done and this is a waste of time for everyone, but if people want to keep the discussion going I'll bite :-)
Eli Schwartz wrote: > But also, please keep in mind that 98% of all people on the internet can > do whatever they want and it simply doesn't matter. They are public > commentators at a three-ring circus and their cavalier or panicked > attitudes change nothing. I disagree, think it is very important to have discussions about what the oss/linux community thinks, not just what they do. And I think those discussions do significantly influence what is actually done, whether the "doers" actually realise it or not. > Well, they change one thing. It's hard for the security professionals at > work to deal with things when they are constantly having to respond to the > three-ring circus. This is a complaint I hear very often from the people working at the heart of things. Stop making noise, shut up, we're overworked here and dealing with your "complaints" just adds to our stress. I do understand and sympathise with those feelings, believe me I do, I feel them myself in other contexts. But I hope you understand this is not finding things to nitpick about for the sake of it. Does the Gentoo dev community want people on the "outside" to raise their concerns on their mailing list if those persons feel like said community have got something very wrong, yes or no? If not then put a note on the mailing list page saying "please don't bother us, we're too overworked, just post patches" or something to that effect. > Please stop insulting the work of the people who are working very hard > to analyze and learn about this issue and taking steps to try to mitigate > it... I'm certainly not trying to insult anyone. I've expressed a lot of appreciation for their work. I have *criticised* the prevailing view though. > What does one have to do with the other? Why is it necessary to claim > that based on some sort of vibe check "there is too much compassion going > around in our communities, and this must mean that not enough effort is > being expended on the technical and cleanup aspects"? I have not made such a claim, I've said I see lots of technical and cleanup aspects. I've only stated the things that *are* happening versus what is not happening at all (literally zilch) and which should be happening, which is efforts towards a solution *not* involving the xz utilities. > Reading in between the lines, e.g. "trying desperately to salvage the > situation with xz-utils", I suspect you are trying to subtly suggest that > any second of time where gentoo hasn't yet removed xz-utils from gentoo as > a dead end is "cavalier". Not quite, I've never advocated removing xz-utils at all, more than happy for it to remain for whoever wants to use it. The only reason I started this thread is I'm very unhappy about that fact that it is currently impossible to NOT execute xz utilities on the Gentoo systems I'm responsible for, without heavy customisation. I'm also not demanding anything, let alone demanding anything instantly. If I have please point out where. > I understand that you are passionate about your suggestion to make > portage not validate distfile hashes. That's incorrect, I've never suggested Portage should not validate distfile hashes. The current behaviour is that validating distfile hashes is something that can be disabled if a user wishes to, and I have no problem with that at all, would not change a thing. I've said that, in order to implement what I have suggested, a user would have to disable it, which is not ideal, but acceptable if the user controls the distfile distribution. And I only suggested that in order to try and make the idea more acceptable by not requiring impractical infra changes that would be needed to generate uncompressed hashes for the Manifests). > But I don't understand how you think > it's a solution to the xz-utils problem. For a wide variety of reasons, > but the simplest one is that your proposal has zero plan of action for > solving this at the community level and is entirely designed to allow > "lone wolf" users to use throwaway systems performing > security-sensitive actions (decompressing and hosting distfiles) in a > networked environment that has the xz-utils installed, to feed into other > security-sensitive systems (daily drivers etc.) that don't, but do have to > trust the artifacts produced by the former. I'm not entirely clear what you're trying to say in this paragraph. But what I will say is I've tried very hard in any suggestions I've made to only suggest things which will NOT change any default behaviour or require big changes. The average user would not see any change from my revised suggestions at all. I accepted after the first responses in this thread that there was no appetite here to stop using xz utils. I then asked the list about an idea I had just to see how palatable it might be. It was not supposed to be a concrete plan, I was seeking discussion about how it might be possible in practise for someone to use Gentoo without compression and decompression of distfiles. I tried to suggest a solution that could be an optional feature people could enable if they wanted it. > It's not being cavalier when zero portage developers responded by saying > "good idea I'll drop everything so I can get right on this and implement > it". I'll just point out that I've never expected nor asked for anyone to unquestionably accept anything I've said, let alone in the way you have characterised there that I might have done. I do think that the oss/linux community as a whole including Gentoo developers should seriously consider changing direction on this though. And I still think it is cavalier, simply because by deciding on the current direction that is being taken, very big (not an exaggeration) risks on behalf of all users are being taken, while a much safer path for everyone is available but being completely ignored. I do acknowledge, though, as I have said before, that this is far from easy in practise. > But if you are absolutely positive this is the right solution, I have an > offer for you: implement this yourself, submit patches, and then we'll have > something to talk about. That was always my ultimate intention, but only if I saw there was at least some appetite for anything that might remotely look like what I was suggesting. I don't see the point in developing and submitting anything concrete to a community that has no desire for it in the first place. Thanks, Eddie P.S. I've done a certain amount of "snipping" in my reply to try and reduce the "wall of text" effect somewhat at least, apologies if you feel I've taken anything out that I should not have, please let me know if so.
