Poettering: Revisiting how we put together Linux systems
Poettering: Revisiting how we put together Linux systems
Posted Sep 2, 2014 1:09 UTC (Tue) by clopez (guest, #66009)In reply to: Poettering: Revisiting how we put together Linux systems by mezcalero
Parent article: Poettering: Revisiting how we put together Linux systems
That sounds good in theory. But in practice what is going to happen is that most runtimes are not going to have an acceptable level of security support.
Also, with this new setup updating becomes much more complicated: instead of upgrading one runtime (your system), you have to upgrade dozens of runtimes (assuming that the runtime provider cared to release an update)
Just imagine the pain of patching all your runtimes after a bug like heartbleed....
To put some examples:
I install an application that uses the Fedora 18 runtime. For how long I'm going to have security upgrades for the Fedora 18 runtime? What happens after that, if the application wasn't updated for a new Fedora runtime? I'm on my own?
Even worse, say that a developer publishes an application using a custom Gentoo runtime. Do you trust the developer to provide security updates for that custom runtime? really?
Posted Sep 2, 2014 4:54 UTC (Tue)
by NightMonkey (subscriber, #23051)
[Link] (4 responses)
Like any software, you will have to carefully choose where you get it from. The straw man of some wild and crazy and irresponsible Gentoo-using compiling-even-on-Sunday developer being the ONLY ONE who supports the software that ONLY YOU AND A MILLION OTHERS need is preposterous.
Posted Sep 2, 2014 6:14 UTC (Tue)
by dlang (guest, #313)
[Link] (1 responses)
Posted Sep 2, 2014 7:35 UTC (Tue)
by NightMonkey (subscriber, #23051)
[Link]
Posted Sep 2, 2014 10:32 UTC (Tue)
by clopez (guest, #66009)
[Link] (1 responses)
My point here is that a developer that releases an App using an Ubuntu or Debian runtime can rely on other developers (or even the distribution) upgrading the runtime. He don't has to be the one that upgrades the runtime with security upgrades, he can "outsource" that job to the distribution or other developers.
However, for a developer using a Gentoo runtime, outsourcing that job is pretty much impossible. This is because Gentoo is both a rolling release (the package version numbers change constantly) and because each package can have very customized compilation flags or patches.
Everybody using the "Ubuntu X" runtime shares the same runtime, so outsourcing (or delegating) security upgrades to others becomes easier. However, each one of the Gentoo runtimes are different. No one is going to share a Gentoo runtime. So the responsibility of security upgrades on a Gentoo runtime falls only on the developer of the application using that runtime.
Posted Sep 2, 2014 14:34 UTC (Tue)
by Wol (subscriber, #4433)
[Link]
I can take a snapshot and then do an "emerge world" - great for keeping my system up-to-date, and makes a great development platform.
But any developer who develops for just the one distro - the one on his own system - is an idiot if he wants others to use it too. For testing purposes you really need to build it on a couple of distros. In my case, I'd build it on the latest SLES (provided it wasn't too long in the tooth).
Then the version that's released for general use is against some version of LTS. Those who want bleeding edge run the rolling release, those who want stable run it against an LTS.
Cheers,
Poettering: Revisiting how we put together Linux systems
Poettering: Revisiting how we put together Linux systems
Poettering: Revisiting how we put together Linux systems
Poettering: Revisiting how we put together Linux systems
Poettering: Revisiting how we put together Linux systems
Wol