GNU bug report logs - #55903
[PATCHSET] Adding aerc

Previous Next

Package: guix-patches;

Reported by: "(" <paren <at> disroot.org>

Date: Sat, 11 Jun 2022 09:07:01 UTC

Severity: normal

Tags: patch

Done: Raghav Gururajan <rg <at> raghavgururajan.name>

Bug is archived. No further changes may be made.

Full log

Message #275 received at 55903 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: "(" <paren <at> disroot.org>, 55903 <at> debbugs.gnu.org
Subject: Re: [bug#55903] [PATCH 25/41] gnu: Add
 go-github-com-protonmail-go-crypto-openpgp.
Date: Sun, 12 Jun 2022 15:57:38 +0200

[Message part 1 (text/plain, inline)]
( schreef op zo 12-06-2022 om 14:13 [+0100]:
> Seems a little risky just to avoid packaging one fork

It's not about _one_ fork, it's about forks in general.
And wasn't it backwards compatible?  And no need the slightly risky
‘point the go-golang-org-x-crypto package at protonmail’ if it is
upstreamed instead.

> Anyway, I think it'd probably just drive people even further away
> from distribution package management towards the "modern" (read:
> insecure, bloated, and inherently flawed) stuff like Docker and
> Flatpak.

At some point, if people shoot theirselves in the foot by being misled
by other projects, that's not something Guix can help with avoiding I
think.  (Unless someone wants to start an awareness campaign?)

Anyway, I don't follow -- your proposal is to include all the forks
where used by upstream, which leads to insecurity because:

  * more packages -> more complexity -> more difficult to do changes
  * more packages -> more packages that can be out-of-date
  * more forks -> more forks that might be unmaintained and hence be at
    risk of being known-insecure by attackers without an update
    available
  * more packages -> more packages that need to be updated -> less time
    for structural improvement on security
  * more packages -> more opportunity for malware to enter.

and also:

  * more packages that +- do the same thing -> bloat

So from here, the proposal implies making packaging in Guix worse in
some aspects, such that people don't use other system's that are bad in
the same aspects ...  I don't think it's a good idea to start a ‘race
to the bottom’ [0].

[0] https://en.wikipedia.org/wiki/Race_to_the_bottom

Greetings,
Maxime.

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 175 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.