"J. Lewis Muir" <jlmuir%imca-cat.org@localhost> writes: > This is where a miscommunication has occurred, I think. I'm not making > any such claim of liability. I'm strictly speaking of the first thing > you listed above: the concept of developers making a good-faith effort > and taking responsibility for security in their project. Demanding that volunteers make a good faith effort and "taking responsibility" is equivalent to an assertion of duty. It's demanding that other people do things because you think they should, and that is fundamentally rude. But people do make an effort, as they are able, among the infinite set of things that can be done. > Now, of course, that's all just my opinion. What I then went on to say > is that if the pkgsrc project doesn't agree with that, I thought it > would be good to make the pkgsrc project's intentions for what a user > can expect on the stable branch more clear because I thought there might > be other users like me who thought the statement in the pkgsrc guide > that said the stable branch "only gets modified for security updates" > meant that the pkgsrc project was committed to updating it for security > updates, not just sometimes. I also said that this would help any user No, "only gets modified for security updates" obviously means just what it says: that non-security-update changes do not happen. It is not a positive statement about an SLA for security updates. (And we make build fixes too, but that's not relevant.) The real point of the stable branch is that it's stable, and that installing it on a machine and then processing updates along the stable branch has a very very low likelihood of breaking a working setup, such as one might use in production. Stable,the latest updates, and feasible levels of effort don't go together, >> To be logically consistent, you should complain to OpenSSL that they did >> not release a micro release that is basically the last version with >> *only* security patches. (I'm not complaining about that -- just >> pointing out that without that, managing openssl is harder.) > > As I said above, I didn't know that OpenSSL had a track record of > breaking ABI backward compatibility in patch releases until Joerg > pointed that out, so I've now changed my opinion on that: I think it > is irresponsible of the OpenSSL project to operate that way and do not > consider it the pkgsrc project's responsibility to put forth effort to > compensate for that. OK, good luck addressing that. It would IMHO be quite reasonable after your conversation concludes to send a brief summary here. >> What I object to is the assertion that TNF has a duty to you to meet >> some performance standard in security pullups, and the assertion that >> people are entitled to some level of service. It's dangerous because >> the liability landscape is troubling in general, and statements that >> there is a duty muddy the waters. > > I said it above, but again, I don't think I ever said anything about > liability. What I'm talking about is what I consider to be responsible > software development. You said things like "take responsibility" and whether you like it or not, that equates to duty, and duty implicates liability. I don't think it's ok for assertions of duty to go unchallenged. The other thing is that pkgsrc actually overall does pretty well all things considered,, when viewed over 20K packages and lots of varying upstream norms, with a very long track record of having stable branches happen and important things kept up to date. People shouldn't think it's a bad situation just because nobody did an openssl pullup for reasons that have been explained upthread. And, Iain got help and instructions about how to apply the change to his tree, and did so. So it's not like people are unhelpful.
Attachment:
signature.asc
Description: PGP signature