From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id 6DV/IUOYW2DXxgAAgWs5BA (envelope-from ) for ; Wed, 24 Mar 2021 20:51:31 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id WOBAHUOYW2CmaAAA1q6Kng (envelope-from ) for ; Wed, 24 Mar 2021 19:51:31 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 0DC1A111AD for ; Wed, 24 Mar 2021 20:51:31 +0100 (CET) Received: from localhost ([::1]:33754 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lP9XO-0001E6-75 for larch@yhetil.org; Wed, 24 Mar 2021 15:51:30 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34118) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lP9X6-0001Dz-71 for guix-devel@gnu.org; Wed, 24 Mar 2021 15:51:12 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:46899) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lP9X4-0006Ff-Dt for guix-devel@gnu.org; Wed, 24 Mar 2021 15:51:12 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id B86F29B1; Wed, 24 Mar 2021 15:51:08 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Wed, 24 Mar 2021 15:51:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=ijJpXM7unH8GVgz+0mN6nwfk fa8TEd5I57MgJ+aAv3k=; b=rcosoSJAfYNeSiC3TlFCjZun1PqX9HNdvvktO9JB IYwC+zOGjfsxk+5UlzCvg3e7RZQY3d6s/buL/lpAKZad3ARjke/ZTiCK5eu5M2s/ 2cpgTHITWP8GMM2rgAxllYo+ScMcbHphTaqXwKm7q6KaAtMQeOnSF8MQu57pzN4X R14= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ijJpXM 7unH8GVgz+0mN6nwfkfa8TEd5I57MgJ+aAv3k=; b=OIyRErLYvgQFyUH/tU84C0 b/Az65puHiFp37XDE9KS8tJ8pHdO10hPK+eVQWnQPOlBxK8pckfRNTNhnNFjFgcS vbku/tJIKE8gWlCyU0OSc0WjqXxochQEYU+Hc/MFWriY18R68O1YGoYcmqVaL4EJ M8c3e7ntdkenA9f6hNfC0xa4nD40/KpFOnzuQiXsuGJ5wVAeoZ18CK8THeAc52dK 9Ml5qVmtZKHJG/TdGCH5IMBey9WL3T09vufB3lq29NhxrK6baT3Z4xVkOu51rmE8 Pn+2vdFwRIIvKRGP9d4+3SDalwhL9dMIKBNMNKJPc0UW+Gu8g/oUh0gNbdK5O6Gw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegkedguddvkecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd erredttdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpefhteekleeiveeiueefgeeggeegtd eludekkeetgfdukeehkedthfejleeigffhgeenucffohhmrghinhepshholhhiugdqrhhu nhdrtghomhdprghvrghnthgvkhdrtghordhukhenucfkphepuddttddruddurdduieelrd duudeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep lhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id D8C2A1080054; Wed, 24 Mar 2021 15:51:07 -0400 (EDT) Date: Wed, 24 Mar 2021 15:51:06 -0400 From: Leo Famulari To: Ricardo Wurmus Subject: Re: [opinion] CVE-patching is not sufficient for package security patching Message-ID: References: <9b9a43a584e2dc70488482fce5931b46abd0e006.camel@zaclys.net> <87v99qit39.fsf@netris.org> <877dm29iog.fsf@gnu.org> <20210322144404.1636b9cf@riseup.net> <875z1hv5tt.fsf@elephly.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="J0sJrw4iKp186yMx" Content-Disposition: inline In-Reply-To: <875z1hv5tt.fsf@elephly.net> Received-SPF: pass client-ip=64.147.123.21; envelope-from=leo@famulari.name; helo=wout5-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616615491; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ijJpXM7unH8GVgz+0mN6nwfkfa8TEd5I57MgJ+aAv3k=; b=gZ7sXalOFU29PCTka6DrwNn5+bgk8TO/WPb+KgLT3v7yFWIF14fnMPavRoYNgocxbGwARi 8rJd5OhSKe/lk9sWj2VtlOGzYX//1xqS9qCAPIa2beTPDrTnrB1YFb56IO0scwIHENkCeV kEipnXEtjePyS234PxUXvtaRLDnqnx9KlmUd3CcuO9XLz8kHn1R990e9qHJx3F7C1X+qCI mB0kchSjr5woyXtb7Lg2q5nMVdxh45rYaUc5mJ8RBaIz7bE76BeBixJtIrhf8D4y3mRLG5 y4+RAGlYwyTVkr8JmfSToQu1EXc+F6H37D5UUhdEwNUSN27DTEQ37GVhToQ+UQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616615491; a=rsa-sha256; cv=none; b=gAH4VtSAlfRjfd1shGXMKFHfnvio0fsrhTVdDDXlY93SuHuNz764vDSHpCb3CXcqM+ld/2 CvMplPwXAQrALaSN+UkC8i13IKVsM/+w2OnNDWA0NyghPdDBQfNfjSMIotKnRFFEvcg3Yt 7V7lMYrju2gcn0oFq5NscMqwcD6yftI0rr7aOjn0mMV6etzJ04fL96iSjH97RKoOphcfJO V8kaj6Xe/kv21eYcaAo56fX+o17jP8wnz6chEjvVe72+4ZSG9cot4BChSv03E3EeWP/+te fSiDRCUiQxGhwIG7aacLlZjQn/akl67kDTxlhVsfGR5lPwNEMy8geKvc46XCJg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=rcosoSJA; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=OIyRErLY; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.52 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=rcosoSJA; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=OIyRErLY; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Migadu-Queue-Id: 0DC1A111AD X-Spam-Score: -3.52 X-Migadu-Scanner: scn0.migadu.com X-TUID: II8fHRF8C+kI --J0sJrw4iKp186yMx Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 23, 2021 at 11:54:54PM +0100, Ricardo Wurmus wrote: > This seems to be a misunderstanding. The first step is to use the money > we already have but cannot exchange for hardware, because >=20 > - finding appropriate hardware that you can actually buy is not easy > - hosting needs to be considered because we can=E2=80=99t just dump them = in the > MDC data centre where most of the Intel servers are hosted. >=20 > We bought a handful of Overdrive 1000 in the past (they are no longer > sold), and hosting was always an obstacle. >=20 > While looking for ways to get the project some more money is certainly > worthwhile, it=E2=80=99s really not the pressing issue here. I volunteer to host one or two workstation-type 64-bit ARM machines. Concretely, this would mean a Honeycomb LX2 or Ampere ALTRA workstation, since I don't believe there are any other aarch64 workstations available for sale. https://www.solid-run.com/arm-servers-networking-platforms/honeycomb-workst= ation/ https://store.avantek.co.uk/ampere-altra-64bit-arm-workstation.html --J0sJrw4iKp186yMx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBbmCoACgkQJkb6MLrK fwjDJQ/8CLs5JqZvLTNa6xA2gRiQ/GahnWq1EQDu3nOuzWXF8jT2Fu2vSqRtM66x l6DPRnCpj5U/bFFOnFYlt7euLQCaBfnq8qpuUA0bKxkAtt5FwDtQiPBeQYnAsIDJ YDz85GLY9YIg4RSFpg6A8m1+21Ds5ZYTFXMq3+p98CTf/n2s3IfpIOuXUWWlKykL I7MA7tj74hBUvJi5GCqnnjevQ46N0j8Kf6f1LBzn1BH4GlXtktaXjR/mRx/wYscV NcA8U2E3vpQZ+9uDm0TCoqssc+aa6y6y4ygeDPXXmnE7yPZpo0A6VIPzdVNzHZyL NCquN5aK2t6pWSDFD3koD6uOb5EFWSKCYu2GzkEJY9JmgZ8rCjgAIkF/5Z3dHap9 /xIXP/MlbnBz1lqxNw5/v8qXa1JD0YD5x9ZrInBNF1J+aG8OAivtcR0tOSRtoNgr ilMQQP1P29h/NKZPxw0faoBzOf9pfPLc54RwuYjx4E+jwJYsHVBTb0XlU4LLWdMc KP7qXnIUXhOU4uRNPOKmZN5K4rsDYha3MfAjxyK9QnIIoYMM/f/Wb+ra3Ch6MdJ8 mlD2Ovy014HFNsRKcs/wu+ZG1QoomZEdQFEUSlVryWvvDeHpJq0KDz5kaqb3bgUI tuV9l/A+BQPBuBNstw6kTaJmvOT/NI+Oxk0/pfQTuwRVnmc+d/g= =sMKs -----END PGP SIGNATURE----- --J0sJrw4iKp186yMx--