Hi, > On 10 Apr 2015, at 21:52, Domen Kožar <do...@dev.si> wrote: > > > Yup - which translates to: if you're using Gentoo you're rolling your own > security updates. That's why the adoption is really low.
Right. Obviously I’d like to have eat my cake and have it. My gain is a support-horizon for a certain “release” that is different/longer than what upstream does (i.e. I can make my own choices whether updating really fits on my plate in sync with upstream). Wiggle room is nice to have - but we have to pay for it, of course. But: my point was that my experience with the multi-step system is a good one. a) noticing which packages have a problem b) marking packages as afflicted c) noticing which of those packages are actually in use. What Gentoo lacked for a while (and this was extremely critical at times) was good tooling that keeps the effort low (it was supposedly insane to do the work so nobody really volunteered) and the security team was almost non-existent at some point. It’s better now but not as good as I’d like it. Interestingly the hardest part is the “discover which vulnerabilities exist and which are important to us” needs to be solved by everyone, and apparently, everyone anew. Everything after that seems trivial to me, but I might be blind. ;) Christian — Christian Theune · c...@flyingcircus.io · +49 345 219401 0 Flying Circus Internet Operations GmbH · http://flyingcircus.io Forsterstraße 29 · 06112 Halle (Saale) · Deutschland HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian. Zagrodnick
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
