Funtoo Linux BDFL drobbins Posted April 28, 2019 Funtoo Linux BDFL Report Share Posted April 28, 2019 And to expand on this some more -- While it's true that we don't have a dedicated security team and rely on users to report CVE's, this doesn't mean that we trail behind Gentoo in all areas. For example, we have a fix in gettext for CVE-2018-18751 that gentoo does not appear to have. We also had important fixes for avahi remote exploits before Gentoo. In general this means that our ability to be up-to-date with CVEs depends upon our users' ability to report these. In areas where we have had good reports, we have sometimes had things fixed sooner. zogg and safulkin 2 Link to comment Share on other sites More sharing options...
zogg Posted April 28, 2019 Report Share Posted April 28, 2019 On 4/27/2019 at 6:01 PM, jhan said: What is the problem with golang? In https://code.funtoo.org/bitbucket/projects/AUTO/repos/lang-kit/browse/dev-lang/go?at=refs%2Fheads%2F1.3-release we have version 1.11.4 and in https://code.funtoo.org/bitbucket/projects/CORE/repos/kit-fixups/browse/lang-kit/curated/dev-lang/go already 1.12.4, which is the current golang version. There is also an open bug (https://bugs.funtoo.org/browse/FL-6353) that might affect the distribution of packages under the lang-kit but you should have at least version 1.11.4 on your system. It was updated yesterday (I assume because of the post) to 1.12.x :D Before as I see from Januar 03 we had 1.11.4 which has vulnerability in link below, vulnerability was published at 24th of January, which gives us Feb, March + almost April till yesterday. https://www.cvedetails.com/vulnerability-list/vendor_id-14185/product_id-29205/version_id-280874/Golang-GO-1.11.4.html Though my point is not specific software, but that switching release model doesn't make automatically everything perfect and stable (secure is stable in my opinion at 2019). I think that Funtoo has less maintainers and people contributing vs same Gentoo and instead of switching, as a solution thinking it would take less time and power to maintain system, while keeping it stable, would not resolve the issue. And as all work done in Gentoo can be utilized as well, maybe instead of more and more breaking compatibility (after all most of us came from Gentoo, which was also Daniel's creation) it can be used as experimental, current can be more stable and stable would have releases maybe with some LTS tagged once. The basic same idea of stable, masked, hard masked. Where power is thrown to automate the process of merge from Gentoo with patching what is needed. At least till the user base grows. Anyway it's just my opinion and for sure anything can suit everyone, after all it would be fair to tell me - "you want something different — you can always make your own", as it's easier to give critics from the couch :P Link to comment Share on other sites More sharing options...
zogg Posted April 28, 2019 Report Share Posted April 28, 2019 On 4/27/2019 at 6:33 PM, drobbins said: @zogg if you are looking for others to do the work for you and keep everything up-to-date for you, this is not the right distro for you. We track CVEs that are reported on the bug tracker and we actively incorporate any CVE fixes. But they need to be reported on the bug tracker. Definitely use Gentoo if you want a bunch of developers to do all the work for you. wrote previous reply before read yours :) in general I do agree with you, but I do not compare with Gentoo, I suggest to co-exist as with any other useful resources that can be used, that's it. Link to comment Share on other sites More sharing options...
zogg Posted April 29, 2019 Report Share Posted April 29, 2019 4 hours ago, jhan said: If you really would have any interest in helping out and have read the links I posted, you would have noticed that your assumption is wrong. The update from 1.11.4 to 1.12.3 was done with bug report https://bugs.funtoo.org/browse/FL-6342 on April 10 and then to 1.12.4 with https://bugs.funtoo.org/browse/FL-6352 on April 13. The reason why those versions did not appear with ego sync on your computer you could have found on the bug report I posted above. And if you had knowledge about this vulnerability earlier, why didn't you report it? Or even better, provided a fix? I am not sure where and what builds were, but I trust 1.3 branch git commits history. And do not blame me of missing links to any bug report, as you obviously missed whole point of my post and cherry picking exactly things you want to answer to, while sticking to golang. I did contribute to Funtoo when I could (yes it was long time ago, when Funtoo just started and Martin and other guys was in core team), but currently I have less time and opportunity to do it. I did not report as I did not check what vulnerabilities golang or kubectl (somehow you did not comment on that one) have when I wrote the post (I work with those and I know there are some found this year). It was less important for me if they are vulnerable on Funtoo as in production I use golang docker images to build golang applications. Link to comment Share on other sites More sharing options...
mlinuxgada Posted April 30, 2019 Author Report Share Posted April 30, 2019 About go, in my opinion, it was far behind compared to most distros /even on dfbsd, which I use occasionally/. Especially after switching to 1.3, all I see is vim-* bump. As I mentioned several times, I use funtoo to do my work, which is 90% backend dev, using go/php/js most of the time. For months go was behind, months. I personally have a local overlay, where all I do is versions bumps. On 4/27/2019 at 6:33 PM, drobbins said: @zogg if you are looking for others to do the work for you and keep everything up-to-date for you, this is not the right distro for you. We track CVEs that are reported on the bug tracker and we actively incorporate any CVE fixes. But they need to be reported on the bug tracker. Definitely use Gentoo if you want a bunch of developers to do all the work for you. Hmm, you're saying that package updates are not meant to be part of the distro ? Smth like "every man for himself", right? Well, thats smth new. Isnt the distro supposed to handle ports/package updates, fixes, enhancements, etc ...?! Atm, the way I understand the "new direction", is smth like: - no way to keep up with current, as before, because there is no current - I hoped there is, no answer to that. It seems to me that at any moment you can change drastically distro direction, just like that. - all port updates/CVE fixes|patches.. / all mods are handled by the user alone - so, if you want updates, whatever, you're on your own. @drobbins can you short answer the last 2, just those 2 please. Link to comment Share on other sites More sharing options...
zogg Posted April 30, 2019 Report Share Posted April 30, 2019 11 minutes ago, jhan said: @mlinuxgada I'm not drobbins but I think you misread that statement. I would answer your second question in the way, that the user does not handle it all alone, he can if he wants, but should at least file a bug report to let funtoo know about the problem. If he wants to do more, he is welcome to work on the problem, analyzing it or even solve it. All software projects rely on the users to report problems. If you need to report most of the things — it is kinda doing it yourself. It is fair to tell that it's homebrew distro and noone owns you anything. But if you advertise your distro asstable and that it can be used in production, regardless of it being free or not — you need to provide certain standards. There is a problem of small group of maintainers in Funtoo and it's logical that it would not have all fixes and there would still be problems. The question is the % of the user input vs maintainers work. If there is need for all users to always report - it's not everyday stable usage (at least if you use it not at home as desktop env) Quote As for your first question. You first have to define what current is. In my eyes there is no current, there is just always something newer. Even gentoo is not current. They have more packages that are closer to the newest software versions but they also have the manpower and infrasturcture to do that. Even if funtoo would follow the updates from gentoo, it still requires some testing, as funtoo is not gentoo and not everything that is coming from gentoo works well in funtoo. It's not about newer (and gentoo has 9999 ebuilds, they are just hard masked). No one asks for the latests software that was released yesterday, but as mentioned above except vim there were barely any ebuild updates for more that few months. Even ubuntu which is LTS has newer packages. The question is the proportions and what distro advertise itself as. Sure not everything in gentoo compatible and requires some manual changes (can it be automated?), but this is exactly the problem of "why use all power that is already not enuf for new features and break compatibility with gentoo which resources can be used? Would not it make Funtoo good as idea and innovation comparing to Gentoo, but it will stay as an idea, while it will always have not enuf users/maintainer" or maybe innovate less and work on automatic gentoo merge into funtoo till it has own maintainers and more users, so it can be more independent from gentoo and can be tweaked even more. It all comes back to the roadmap and the calculation of your resources vs your plans in more realistic way. Link to comment Share on other sites More sharing options...
Recommended Posts