On Fri, Apr 10, 2015 at 4:03 PM, Christian Theune <[email protected]> wrote:
> Hi, > > On 10 Apr 2015, at 21:52, Domen Kožar <[email protected]> wrote: > > > Yup - which translates to: if you're using Gentoo you're rolling your own > security updates. That's why the adoption is really low. > > > Right. Obviously I’d like to have eat my cake and have it. My gain is a > support-horizon for a certain “release” that is different/longer than what > upstream does (i.e. I can make my own choices whether updating really fits > on my plate in sync with upstream). Wiggle room is nice to have - but we > have to pay for it, of course. > > But: my point was that my experience with the multi-step system is a good > one. a) noticing which packages have a problem b) marking packages as > afflicted c) noticing which of those packages are actually in use. > > What Gentoo lacked for a while (and this was extremely critical at times) > was good tooling that keeps the effort low (it was supposedly insane to do > the work so nobody really volunteered) and the security team was almost > non-existent at some point. It’s better now but not as good as I’d like it. > > Interestingly the hardest part is the “discover which vulnerabilities > exist and which are important to us” needs to be solved by everyone, and > apparently, everyone anew. > > Everything after that seems trivial to me, but I might be blind. ;) > I can fully agree - which basically translates to: once enough companies we using Nix we can sit down and write this up :)
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
