Helping with any of these three would certainly be reasonable. But
demanding a *LOT* of work to alternative-force an already attack-reverted
package, when we actually KNOW about that one, it's reverted to pre-attack
and there's likely to be no more mischief there /because/ everybody's
looking at it now, when it could have been any of a number of packages,
some of which might already be compromised and we just didn't happen to
find it, IMO really doesn't make much sense.
Hello,
After so much reading and seeing almost a dead-end to this talk and from
this citation above I had an idea for OP.
1/ OP is sure that Gentoo and others distro *should* avoid using
xz-utils, at all cost.
(IMHO that is a respectable choice, *IF* it's possible without adding
tremendous of works while Gentoo's dev could works on something else…
Like being sure xz-utils is now safe to use…)
2/ Gentoo's dev stating that it's:
a) Non-required, to not say useless.
b) Would ask a lot of money to extend the infrastructure of Gentoo
(two times the compressed file and the new non-xz would take like +30%
in size…) and some works in addition for the systems administrators. As
someone that had this job for some years, that is not always easy as it
looks like and having more works is never fun while you already have
some cooking… specially when you are not paid for this.
c) Would ask a *LOT* of works for Gentoo's devs, ebuild mainteneurs…
d) For, from Gentoos's dev opinion, something that only a very few
users will actually use, without speaking about adding a layer of
complexity in every process, from installing Gentoo or maintaining the
packages. Looks like an awful jobs to be honest.
If OP is really that sure that Gentoo's dev are having a cavalier
attitude, non-thinking enough about security in this subject, while
(sorry but that's true) not paying much respect to the works into the
community (Gentoo and free software in general)… Well:
Fork Gentoo, or any other distros, start a LFS…
I mean, this is *free software* (as in freedom), what makes you not
starting your own project with peoples sharing your point-of-view ?
Some debian's user didn't liked the coming of SystemD, some made Devian
(not even know if it's still around, but that is a simple example).
Don't some *BSD distribution were borne for technical different
point-of-view ? Yes, some did and are still here, since decades.
I think, IMHO, you should try to see if peoples around are having the
same philosophy as you, if you find a bunch of peoples having times and
willing to do it.
I suppose you have some knowledge, but I can only assume, maybe you
don't have enough, could take years even if you have already these. Even
more if you start from 0.
If you are alone, you have two choices:
1/ Do like Slackware, create as a lone-wolf your own distribution.
2/ Accept the idea that your idea is maybe not true, or good.
When a lot of peoples state that you are wrong, it doesn't means you are
all the time. But at the same time, you were explained more than once
that it's not a good idea, a really better way or they (Gentoo's dev)
have other matter to take care of. Maybe Gentoo's dev are wrong. But in
my case, I'll keep my side for the peoples that has proven theirs skills
by their works. For more than 20 years, now.
That is just my opinion. You don't like it ? Fork it, find an
alternative OR accept your faith. Or change for a distribution sharing
your opinion about that.
PS : Sorry for my English.
Regards,
GASPARD DE RENEFORT Kévin
