pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Will OpenSSL 1.1l be back ported to 2021Q2?



"J. Lewis Muir" <jlmuir%imca-cat.org@localhost> writes:

> This is where a miscommunication has occurred, I think.  I'm not making
> any such claim of liability.  I'm strictly speaking of the first thing
> you listed above: the concept of developers making a good-faith effort
> and taking responsibility for security in their project.

Demanding that volunteers make a good faith effort and "taking
responsibility" is equivalent to an assertion of duty.  It's demanding
that other people do things because you think they should, and that is
fundamentally rude.

But people do make an effort, as they are able, among the infinite set
of things that can be done.

> Now, of course, that's all just my opinion.  What I then went on to say
> is that if the pkgsrc project doesn't agree with that, I thought it
> would be good to make the pkgsrc project's intentions for what a user
> can expect on the stable branch more clear because I thought there might
> be other users like me who thought the statement in the pkgsrc guide
> that said the stable branch "only gets modified for security updates"
> meant that the pkgsrc project was committed to updating it for security
> updates, not just sometimes.  I also said that this would help any user

No, "only gets modified for security updates" obviously means just what
it says: that non-security-update changes do not happen.  It is not a
positive statement about an SLA for security updates.  (And we make
build fixes too, but that's not relevant.)

The real point of the stable branch is that it's stable, and that
installing it on a machine and then processing updates along the stable
branch has a very very low likelihood of breaking a working setup, such
as one might use in production.  Stable,the latest updates, and feasible
levels of effort don't go together,

>> To be logically consistent, you should complain to OpenSSL that they did
>> not release a micro release that is basically the last version with
>> *only* security patches.  (I'm not complaining about that -- just
>> pointing out that without that, managing openssl is harder.)
>
> As I said above, I didn't know that OpenSSL had a track record of
> breaking ABI backward compatibility in patch releases until Joerg
> pointed that out, so I've now changed my opinion on that: I think it
> is irresponsible of the OpenSSL project to operate that way and do not
> consider it the pkgsrc project's responsibility to put forth effort to
> compensate for that.

OK, good luck addressing that.  It would IMHO be quite reasonable after
your conversation concludes to send a brief summary here.

>> What I object to is the assertion that TNF has a duty to you to meet
>> some performance standard in security pullups, and the assertion that
>> people are entitled to some level of service.  It's dangerous because
>> the liability landscape is troubling in general, and statements that
>> there is a duty muddy the waters.
>
> I said it above, but again, I don't think I ever said anything about
> liability.  What I'm talking about is what I consider to be responsible
> software development.

You said things like "take responsibility" and whether you like it or
not, that equates to duty, and duty implicates liability.  I don't think
it's ok for assertions of duty to go unchallenged.

The other thing is that pkgsrc actually overall does pretty well all
things considered,, when viewed over 20K packages and lots of varying
upstream norms, with a very long track record of having stable branches
happen and important things kept up to date.  People shouldn't think
it's a bad situation just because nobody did an openssl pullup for
reasons that have been explained upthread.  And, Iain got help and
instructions about how to apply the change to his tree, and did so.  So
it's not like people are unhelpful.

Attachment: signature.asc
Description: PGP signature



Home | Main Index | Thread Index | Old Index