Re: expanded + clarified "differences from Debian" wiki section

To: Debian Derivatives <debian-derivatives@lists.debian.org>
Cc: SprezzOS Dev <sprezzos-dev@googlegroups.com>
Subject: Re: expanded + clarified "differences from Debian" wiki section
From: nick black <nick.black@sprezzatech.com>
Date: Thu, 9 May 2013 01:03:50 -0400
Message-id: <[🔎] 20130509050350.GA4733@qemfd.net>
Mail-followup-to: Debian Derivatives <debian-derivatives@lists.debian.org>, SprezzOS Dev <sprezzos-dev@googlegroups.com>
In-reply-to: <[🔎] CAKTje6FAshasRA45cfpPJTmOsbdPmHxm2ZyoMbbf=tP==XN9xQ@mail.gmail.com>
References: <[🔎] 20130509035901.GA4046@qemfd.net> <[🔎] CAKTje6FAshasRA45cfpPJTmOsbdPmHxm2ZyoMbbf=tP==XN9xQ@mail.gmail.com>

Paul Wise left as an exercise for the reader:
> On Thu, May 9, 2013 at 11:59 AM, nick black wrote:
> 
> > systemd has replaced sysvinit.
> This may happen in Debian for jessie, at least for the Linux-based
> architectures.

Wonderful! Indeed, it was the FreeBSD/Hurd issue that seemed the biggest
obstruction. I'll need look into how this is being done. In that case, we'll
have service files to contribute.

> > SELinux and TCP wrappers are not supported. The former almost certainly introduces security problems
> Do you have any specific issues in mind here? If so it would be a good
> idea to get CVEs and patches issued for them.

Nope, no specific issues, more an issue of "security policy ought be
implemented using as few mechanisms as possible."

> > Hardening flags are not considered universally desirable.
> Is the performance difference really that large?

This isn't about performance, though that is a (minor) issue. Much more
problematic is that it's a major source of patches, which we consider
undesirable. Contributing hardening patches upstream to live projects is
great, but we don't want to maintain them against dormant codebases.

> > Patching the upstream sources is strongly frowned upon
> Likewise in Debian, we even codified that in our social contract:
> 
> http://www.debian.org/social_contract
> 
> We do take a pragmatic approach when upstream is unresponsive or for
> other reasons though.

Yep. I'll add linkage to the Debian policy; thanks for pointing it out!

> > use of --fail-missing or an equivalent is strongly encouraged
> 
> It might be interesting to make that the default in a future debhelper
> compat level.

I am personally deeply surprised that this is not already the case,
especially in CDBS.

> 
> The advantage of having humans involved here is that they can make
> judgements about the updates.

Absolutely. The disadvantage is that you need the humans.

-- 
nick black     http://www.sprezzatech.com -- unix and hpc consulting
to make an apple pie from scratch, you need first invent a universe.

Reply to:

Follow-Ups:
- Re: expanded + clarified "differences from Debian" wiki section
  - From: intrigeri <intrigeri@debian.org>

References:
- expanded + clarified "differences from Debian" wiki section
  - From: nick black <nick.black@sprezzatech.com>
- Re: expanded + clarified "differences from Debian" wiki section
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: expanded + clarified "differences from Debian" wiki section
Next by Date: Re: expanded + clarified "differences from Debian" wiki section
Previous by thread: Re: expanded + clarified "differences from Debian" wiki section
Next by thread: Re: expanded + clarified "differences from Debian" wiki section
Index(es):
- Date
- Thread