On Sat, Jan 4, 2020 at 6:42 AM Roy Bamford <[email protected]> wrote: > > On 2020.01.04 11:01, Rich Freeman wrote: > > > > Is there some reason that we should keep vanilla sources despite not > > getting security handling? > > > > Gentoo had this discussion before. The outcome was that > vanilla-sources is just as Linus intended. > If Gentoo did anything to it, it wouldn't be vanilla any longer.
Obviously. I wasn't suggesting that we keep vanilla sources but not make them vanilla. That doesn't mean that they couldn't be security-supported, or that we have to have them in the repo. > Yes, it should be kept. We should not force users to learn > git or tar. Uh, all it does is install kernel sources. They're useless unless you build a kernel using them. Apparently git and tar are too complicated for Gentoo users, but managing symlinks, using make, managing a bootloader, dealing with the kernel's configuration system, and so on are just fine? I completely get the point of the distribution kernel project that was just announced, as I already said. > I agree git or a tarball of vanilla-sources is faster and more > efficient but that's not a reason to drop it. > By the same argument we could drop linux-firmware too. > There are probably other packages that only install whatever > they fetch. Could they be dropped? So, a few issues with that argument: 1. Those other packages are security supported. 2. Those other packages are largely functional once installed, and to the degree that they require configuration that is generally one-time and after updates they remain functional. All that said, it seems like vanilla-sources is pretty up-to-date, so I'm not sure what we mean by it not being security supported. I just took that as a given. Does that mean that we're not releasing patches before upstream? If so, that seems like a pretty minor issue since upstream generally does security bumps pretty quickly. 4.4.208 isn't in our repo but was released today - I'm not sure how quickly these get bumped. If our repo could be days behind that is definitely another reason not to host this stuff, as users should be directed upstream if our packages aren't security supported. On a further aside, I just noticed how up-to-date gentoo-sources are. Kudos to whoever is doing that these days - for a while it was tending to slip a bit but it seems like we're basically current. -- Rich
