[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Packages removed from frozen



>>"David" == David Starner <dvdeug@x8b4e53cd.dhcp.okstate.edu> writes:

 >> 
 >> I am tempted to say, Horse puckey.  I never say that gcc was
 >> the only program that should qualify.

 David> "gcc would be something that I would be willing to give special 
 David> dispensation for . . . However, this is not a dispensation that 
 David> should be lightly given. Bootstrapping from scratch should be
 David> kept to ... the build essentials."
 David>                ^^^^^^^^^^^^^^^^^
 David> Close enough.

        In your mind. 

        I still say the dispensation should not be lightly given -- it
 should only be given where strictly necesary. I have, however,
 amended my stance about restricting it to build depends (not that
 there was any attempt at dialogue -- people muist reaaaaly like flame
 fests here).
        
        Rather than jumping on details, did you even try to see if
 xomething weorkable could be wrought out fo this? Hell, no.

 >> You must be imagining things. Who talked about throeing the
 >> code out by default? I talked about having the package maintainers
 >> ask for dispensation, to ensure that the package are not putting in
 >> self dependencies for convenience.

 David> ~ $ fgrep -i ask original_message
 David> ~ $

        English might not be your first language, so this is
 forgivable. How the hell did you think the dispensators knew how to
 give a dispensation? Telepathy?

        Or you just spoiling for a fight?

 >> Brushing such potential security risks is a really bad idea,
 >> and I am appaled that people are opposed to documenting these
 >> packages in a well known place.

 David> ~ $ fgrep -i doc original_message
 David> A bug in the code is worth two in the documentation.
 David> ~ $

        Right. You really need things spelled out for you. Anyway, the
 impression that people wanted to just sweep things under the rug
 developed from the responses to my proposal (a lot of which were knee
 jerk responses, somewhat liek this one, where the author decided to
 disagree and reached for a flame thrower before partaking in a
 rational discourse).

        I can do that too.

        I posit that my stating that dangerous packages should be
 restricted to build essentials already requires documentation -- and
 I am now convinced that perhaps a separate class of pacages apart
 from buils essentials is required, but 

 David> No one's opposed to documenting these packages, but it doesn't
 David> really matter to most of us. 

        That has been eminently clear. However, I suggest that the
 project give two hoots about security.

        As to my giving the dispensation for gcc; I have already
 ensured (through using several non-Linux platforms to compile gcc_
 that the trojan in the binary trick does not exist; and therefore any
 trojans would have to be present in the source code.

        manoj
 gearing up to the inevitable flamefest
-- 
 If a subordinate asks you a pertinent question, look at him as if he
 had lost his senses.  When he looks down, paraphrase the question
 back at him.
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C


Reply to: