Sorry guys,
I just can't let go of this thread. I've become Dependant upon it for
my daily dose of drama. I NEED to hear people flame and bicker all day
long...!!
Seriously though, this thread about portage signing has made me think
more thoroughly about gentoo and its security needs.
I decided tonight to take a step back, and look at what the gentoo web
site has to say about security. And the answer, which came as a
surprise to me, was very little.
I'm not sure how to interpret this. I will admit that I have not yet
surveyed other open source projects' websites to compare their relative
emphases on security. But I was surprised to see how little mention
this big issue receives in the gentoo press, so to speak.
It occurs to me that this lack of transparency is perhaps somewhat to
blame for the flame war that we're all hopefully healing from by now. I
really don't know what I should expect from gentoo in terms of security,
other than having a general understanding that upstream packages will be
maintained with security fixes. But clearly, creating a secure distro
involves more than just package maintenance. And clearly, more _IS_
being done than just upstream package maintenance. I just have no idea
what.
In other words, I don't see any mention of security in the gentoo
philosophy or in the social contract. With all of the "fix it yourself
if you don't like it" comments I've seen in this thread, I wonder if it
would be constructive to ask some pointed questions that get to the
heart of the matter:
What should be the extent of gentoo's social responsibility to insure
the security and integrity of its software? How can this be made
transparent to users? Are security ethics worthy of mention in the
social contract?
Is there a written policy for determining what issues warrant the
issuance of a GLSA? If so, where? If not, should there be?
What part does security -- and by this, I mean security as a concept, as
an important consideration that keeps the Internet from imploding as
well as keeping nasty things away from our workstations -- play in the
gentoo philosophy? Does gentoo believe that security is a point of
primary importance to an OS? (surely yes!) Should some mention of this
be included in our philosophy statement?
What does the gentoo developer handbook have to say about security?
Should it address the security expectations we have of software developers?
What about users who lack the technical ability to "fix it themselves"?
Do we just want them to go back to Windoze, since they don't know any
python or C? Or do we have a rudimentary obligation to provide them
with some (how much?) degree of security out of the box? How should we
inform users of what to expect?
To what extent should the community be involved in managing security
issues? What mechanisms exist for this? Should there be a more
streamlined way for users to see what the status of current security
efforts is?
Is there a set of criteria we can agree on that might aid us in
assessing the severity of a threat and need for a fix, in a way that is
reasonable and fair? How are potential threats currently assessed?
What should someone do if they think a serious problem is being
overlooked or actively ignored? Is there a way to set up some
protocols/procedures that might avoid this kind of flame war in the future?
I hope no one sees this as trolling. I'm not trying to start another
flame war, but I think these are all fundamental, legitimate questions
raised by this thread. Where exactly _does_ the gentoo project stand on
security? And how do I find out? This is a key piece of missing
perspective.
Cheers,
-C-
PS - In the midst of all the (much-deserved!) dev glorification, I want
to also thank Peter for sticking to his convictions and moving this
issue forward.
I just can't let go of this thread. I've become Dependant upon it for
my daily dose of drama. I NEED to hear people flame and bicker all day
long...!!
Seriously though, this thread about portage signing has made me think
more thoroughly about gentoo and its security needs.
I decided tonight to take a step back, and look at what the gentoo web
site has to say about security. And the answer, which came as a
surprise to me, was very little.
I'm not sure how to interpret this. I will admit that I have not yet
surveyed other open source projects' websites to compare their relative
emphases on security. But I was surprised to see how little mention
this big issue receives in the gentoo press, so to speak.
It occurs to me that this lack of transparency is perhaps somewhat to
blame for the flame war that we're all hopefully healing from by now. I
really don't know what I should expect from gentoo in terms of security,
other than having a general understanding that upstream packages will be
maintained with security fixes. But clearly, creating a secure distro
involves more than just package maintenance. And clearly, more _IS_
being done than just upstream package maintenance. I just have no idea
what.
In other words, I don't see any mention of security in the gentoo
philosophy or in the social contract. With all of the "fix it yourself
if you don't like it" comments I've seen in this thread, I wonder if it
would be constructive to ask some pointed questions that get to the
heart of the matter:
What should be the extent of gentoo's social responsibility to insure
the security and integrity of its software? How can this be made
transparent to users? Are security ethics worthy of mention in the
social contract?
Is there a written policy for determining what issues warrant the
issuance of a GLSA? If so, where? If not, should there be?
What part does security -- and by this, I mean security as a concept, as
an important consideration that keeps the Internet from imploding as
well as keeping nasty things away from our workstations -- play in the
gentoo philosophy? Does gentoo believe that security is a point of
primary importance to an OS? (surely yes!) Should some mention of this
be included in our philosophy statement?
What does the gentoo developer handbook have to say about security?
Should it address the security expectations we have of software developers?
What about users who lack the technical ability to "fix it themselves"?
Do we just want them to go back to Windoze, since they don't know any
python or C? Or do we have a rudimentary obligation to provide them
with some (how much?) degree of security out of the box? How should we
inform users of what to expect?
To what extent should the community be involved in managing security
issues? What mechanisms exist for this? Should there be a more
streamlined way for users to see what the status of current security
efforts is?
Is there a set of criteria we can agree on that might aid us in
assessing the severity of a threat and need for a fix, in a way that is
reasonable and fair? How are potential threats currently assessed?
What should someone do if they think a serious problem is being
overlooked or actively ignored? Is there a way to set up some
protocols/procedures that might avoid this kind of flame war in the future?
I hope no one sees this as trolling. I'm not trying to start another
flame war, but I think these are all fundamental, legitimate questions
raised by this thread. Where exactly _does_ the gentoo project stand on
security? And how do I find out? This is a key piece of missing
perspective.
Cheers,
-C-
PS - In the midst of all the (much-deserved!) dev glorification, I want
to also thank Peter for sticking to his convictions and moving this
issue forward.
Attached Files:
-
signature.asc (0.25 KB)