On 20 April 2017 at 03:23:04, Ralf Mardorf wrote: I would be concerned, if too many security
features not everybody needs,
would become default. Why not dropping security
features completely and
instead making real-time optimised features the
default? This is a
rhetorical question, but actually I would prefer
the latter.
Did you know those security features were extensively tested for performance, with many peoples involved? See: https://github.com/pid1/test-sec-flags/wiki
It's 2017, security doesn't mean unoptimized. There was attempt to bring in more optimizations already used in Clearlinux project like pgo and lto to makepkg but it's still on sidelines due to lack of time from devs. See https://aur.archlinux.org/packages/makepkg-optimize2/
On 20 April 2017 at 10:32:32, Jelle van der Waa
wrote:
PIE is blocked by upstream because of this bug
iirc. [1]
[1]
https://sourceware.org/bugzilla/show_bug.cgi?id=21090
Did you know this bug was reported by concerned user because dev hadn't time for it for a half of year? Plus nobody ever explained why minor bug in testsuite should be a blocker here. Also there are more security flags to be enabled, trivial to add and blocked only by lack of time/lack of will, even when other devs explicitly asked for this.
On 20 April 2017 at 10:43:03, David C. Rankin
wrote:
Taking the needed time to git it done correctly
the first time is NOT an
indication of poor health -- just the opposite.
I would rather have packages
stay in testing an additional 30 days and have
all problems addressed than
have it called "good enough" in some arbitrary
rush that results in more
problems and bug reports down the line.
I agree with the above but it's not the case here. Packages doesn't stay in testing for extended period because actual problems are resolved but because everyone who did his/her job has to wait for someone who didn't. See https://www.archlinux.org/todo/openssl-rebuild-take-2/ . Everything is done except one package and nothing changed for weeks.
It's not about blaming anyone because I believe everybody do what they can. It's about finding a way to help those who struggle. When some users are asking about how they can help, answering WE DON'T NEED HELP isn't very appropriate. Even if you don't care at all about it please don't try to discourage those who care.