[Nix-dev] Improving security updates

Christian Theune ct at flyingcircus.io
Fri Apr 10 22:03:11 CEST 2015


Hi,

> On 10 Apr 2015, at 21:52, Domen Kožar <domen at dev.si> wrote:
> 
> 
> Yup - which translates to: if you're using Gentoo you're rolling your own security updates. That's why the adoption is really low.

Right. Obviously I’d like to have eat my cake and have it. My gain is a support-horizon for a certain “release” that is different/longer than what upstream does (i.e. I can make my own choices whether updating really fits on my plate in sync with upstream). Wiggle room is nice to have - but we have to pay for it, of course.

But: my point was that my experience with the multi-step system is a good one. a) noticing which packages have a problem b) marking packages as afflicted c) noticing which of those packages are actually in use.

What Gentoo lacked for a while (and this was extremely critical at times) was good tooling that keeps the effort low (it was supposedly insane to do the work so nobody really volunteered) and the security team was almost non-existent at some point. It’s better now but not as good as I’d like it.

Interestingly the hardest part is the “discover which vulnerabilities exist and which are important to us” needs to be solved by everyone, and apparently, everyone anew.

Everything after that seems trivial to me, but I might be blind. ;)

Christian

—
Christian Theune · ct at flyingcircus.io · +49 345 219401 0
Flying Circus Internet Operations GmbH · http://flyingcircus.io
Forsterstraße 29 · 06112 Halle (Saale) · Deutschland
HR Stendal HRB 21169 · Geschäftsführer: Christian. Theune, Christian. Zagrodnick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150410/671bea75/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://lists.science.uu.nl/pipermail/nix-dev/attachments/20150410/671bea75/attachment.bin 


More information about the nix-dev mailing list