On Fri, Mar 31, 2017 at 01:59:37PM +0100, Josh Branning wrote: > Instead of > > 'we know there are lots of different vulnerabilities with software so we > should decide to fix none of them' > > I feel we should aim for > > 'we know there are lots of different vulnerabilities with software, so we > should try and fix all of them, failing that, we should at least try to fix > some of them'
I am not saying to not fix any of them, I'm saying there are better ways in which we can allocate our resources (namely the time we have). Solving an issue that has low risk but requires quite a bit of time, energy, as well as other resources, seems like a waste to me. With reproducible builds it's a decently large cost for almost no return because of all the flaws it has to begin with. In the end we end up trusting our own compilers, which means it's the same as compiling from source. So why not make it easier to install packages from source? Write a quick script for `abs' and alike? It simply does not seem like a pragmatic decision to me, and although the idea is not bad it needs to be elaborated and thought through more thoroughly on a solution to the problem that they are trying to solve. A problem was found and a half-baked solution was created. Yes, I realize that no security system is perfect and there will always be holes, and that that shouldn't stop us from trying to patch that which we can. However, in this case I view the solution as being too premature and requiring further development so that it can cover a good portion of the holes. -- Nicolás A. Ortega (Deathsbreed) https://themusicinnoise.net/ http://uk7ewohr7xpjuaca.onion/ Public PGP Key: https://themusicinnoise.net/[email protected]_pub.asc http://uk7ewohr7xpjuaca.onion/[email protected]_pub.asc
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
