Pascal, I'm done talking to you. I tried my best to explain myself but apparently I can't get my message across. I'll refrain to address only some points you made.
On Sat, 2007-11-03 at 14:25 +0100, Pascal Bleser wrote: > >> I don't know what world you're living in but we're not paid to do this, > >> we do it during our spare time, and it's a considerable effort and > >> amount of time, health, and commitment going into this from every single > >> member of the team. It's totally unrealistic and just plain impossible > >> for us to provide SLAs, maximum response time guarantees or whatever. > >> Get real. > >> > >> If you want a really secure environment (_if_ you actually need that > >> level of paranoia), then only use the packages that come with the > >> distribution. > >> > >> And as the Subversion team likes to put it: "patches are welcome" > > > > Pascal, in the world I live people don't regards questions as personal > > attacks. Nor do they feel the need to talk in a demeaning manner. How > > tempting it might be I am not going to lower myself to this level of > > discussion. > > Huh ? > Something is just seriously wrong with the tone, criticizing all the > time, wrong facts and you messing up replies and arguments all the time. > It's damn close to trolling. That's what is getting yourself such > replies. It's that simple, really. > And I don't see where I was personally attacking you. Actually you're > the one who turns every reply into being a personal attack. > > Reference for the others on the list: > http://lists.opensuse.org/opensuse-buildservice/2007-11/ > and the dozen of "How secure is openSUSE build service ?" threads. Thanks for providing the link. I'll leave it up to others to decide for themselves whether I am trolling or not. > You cannot "know 100% certain what you offer to your customers". > You'd have to either write all the source code yourself, or audit all > the source code yourself (and actually have such a deep understanding of > environments, programming languages etc.. to actually understand exactly > that every single line of C/C++/Python/Ruby/Java/C#/PHP/bash/perl source > code does), or trust others. True. > Get SLES or SLED, they provide the same security levels, SLAs and > whatever you need. Plus you actually get a contract and an SLA, support, > hotline, guarantees. The above give you near nothing because no one is > liable for it. It might be a code of conduct, a best effort, an > intention (which is great if it really works), but still no guarantee at > all. What will happen if the maintainer or one of the maintainers of > gentoo's MPlayer ebuild is on holidays a few days ? Will he be fired ? > Will someone else from the QA team pick it up, build it, test it ? SLED is too expensive for the home user. > And with gentoo it gives you nothing, because you still have to get your > customers to rebuild the software in question on their hosts, supposedly > with a long downtime. One word: binhost > > > Besides Gentoo there is Ubuntu/Debian/FreeBSD which shows that it is > > possible to make a very secure distribution with only volunteers. > > Sure, if it makes you feel better by thinking it does. > If you really want to go by a hardened and secure environment, then go > for OpenBSD. But you will always get the tradeoffs, with any environment > that is really secure. And it seems that you're targetting desktop > systems. That sounds like a lot of fun :) > > Just show me where SLED/SLES/openSUSE/Packman was too slow at shipping > security fixes or caused harm by not pushing out updates fast enough. I never stated that SLED/SLES/openSUSE/Packman "as too slow at shipping security fixes or caused harm by not pushing out updates fast enough" . In fact I repeatedly stated (see "How secure is openSUSE build service ?" link) that I trust the packman en openSUSE repo's for 100% > > Note that that's exactly the sort of argumentation I was referring to. > By telling people they suck idiots because others supposedly do it > better I never said something that comes even close to "they suck idiots because others supposedly do it better" > (with lots of wrong "facts" btw, such as Debian shipping patent > encumbered codecs in their main repository, Again I never stated that "Debian shipping patent encumbered codecs in their main repository". I only said Debian has patent encumbered codecs (mp3 not dvd) available. Which are in the non-free repos. > or MP3 just being an > "ethical problem" and not a legal one, That depends on where you live. > or stating that every single of > the 20000+ packages in the Debian repository undergoes heavy security > checks by their maintainers -- plain wrong, but you never reply to > people telling you that) and > "threatening" to use another distribution, Like I said I don't care which distro I use, For me it's just a tool. Therefor I see no use in "threatening" to use another distribution. > what.. you don't actually expect people to give constructive replies, > don't you ? ;) You never bothered to give constructive replies in the first place. > But if you prefer Gentoo, Debian, Ubuntu, FreeBSD or whatever, those are > fine distributions as well, just go for it. Don't think that anyone > cares about what distribution you and your customers will be using, that > sort of "threatening" just does not work at all. Like I don't said I don't prefer any distro all have their positive and negative points. > What Toni and I tried to explain to you (and what you just dubbed as > being a personal attack, for whatever reason) is that we cannot possibly > perform security audits on every single package we build. > It's not feasible for several reasons: > - - we would need to be 50 people working on it at least, full time, with > everyone just tracking 20 projects or so, not more > - - we would probably have to restrict the number of packages that we > provide (and you don't what that now, do you ?) > - - we would need a lot of funding and a lot of hardware to perform > security checks, shorter update delivery, automated QA, manual QA procedures I never asked for security audits. I only wanted to know which security procedure the packman devs use. Just reread my initial post. > We have neither of that. What we provide to the community is huge > amounts of our spare time committed to give them software they can > install easily on their distribution in the latest version and > uncrippled, with of course a best effort in terms of new releases, > bugfixes and security fixes. But we totally rely on upstream (= the > software authors), as almost everyone else does. > You have to trust both upstream (authors) and downstream (packagers), > that's all. And it's exactly the same with Debian, Ubuntu, Gentoo, > others. Because Gentoo may well have some policies and intentions, but > it doesn't technically prevent them from skipping their QA or adding > something harmful into the packages/ebuilds. Fortunately they do have a testing tree, that can prevent a lot of harm. > > If you have some constructive feedback, some realistic ideas on how to > do it, want to contribute to the project, fine, be our guest (that was > the meaning of "patches are welcome"). I tried my best to give constructive feedback but these have fallen to deaf ears. _______________________________________________ Packman mailing list [email protected] http://212.112.227.138/cgi-bin/mailman/listinfo/packman
