Hi Michael, On 4/1/20 6:01 PM, Michael Orlitzky wrote: > On 4/1/20 11:49 AM, Alec Warner wrote: >> Imagine a common dep (CommonFoo-x-y-z) >> has a security problem, so we must upgrade to CommonFoo-y-z. In the >> scenario where CommonFoo is a dynamically linked package we can >> recompile it once and new consumers will just use the new dynamic >> shared object. In a bundling scenario, we will be forced to rebuild >> all consumers. > This is highly euphemistic. What actually happens is: someone discovers > a security issue in a Go library. That library is not "in" Gentoo, > because it only ever appears in a string inside of another ebuild that > bundles everything. Thereafter, a whole lot of nothing happens. Users > remain vulnerable "forever," until some other unrelated event causes > both the ebuild and its dependency to be updated.
Couldn't security issue in a Go library be solved with keyword mask and announce in portage? The vulnerability care is not only related to the distro, but also to the upstream. Gentoo already provides the option to downgrade to a previous version (if that is an answer for the issue). Imagine Arch distro where that is not an option or Debian Stable that is stuck in a version? I see so more troubles in other distros than Gentoo. The choice is the responsibility of the end user and distro maintainers don't have to provide every software. Providing the eclasses that allows to produce the ebuild is a good option for those who need some software, simplifying the development work. Overlaying is the solution, I think... Best, Samuel
Description: OpenPGP digital signature