> On 20 April 2017 at 03:23:04, Ralf Mardorf wrote: > I would be concerned, if too many security features not everybody needs, > would become default. Why not dropping security features completely and > instead making real-time optimised features the default? This is a > rhetorical question, but actually I would prefer the latter. Did you know those security features were extensively tested for performance, with many peoples involved? See: https://github.com/pid1/test-sec-flags/wiki It's 2017, security doesn't mean unoptimized. There was attempt to bring in more optimizations already used in Clearlinux project like pgo and lto to makepkg but it's still on sidelines due to lack of time from devs. See https://aur.archlinux.org/packages/makepkg-optimize2/ > On 20 April 2017 at 10:32:32, Jelle van der Waa wrote: > PIE is blocked by upstream because of this bug iirc. [1] > [1] https://sourceware.org/bugzilla/show_bug.cgi?id=21090 Did you know this bug was reported by concerned user because dev hadn't time for it for a half of year? Plus nobody ever explained why minor bug in testsuite should be a blocker here. Also there are more security flags to be enabled, trivial to add and blocked only by lack of time/lack of will, even when other devs explicitly asked for this. > On 20 April 2017 at 10:43:03, David C. Rankin wrote: > Taking the needed time to git it done correctly the first time is NOT an > indication of poor health -- just the opposite. I would rather have packages > stay in testing an additional 30 days and have all problems addressed than > have it called "good enough" in some arbitrary rush that results in more > problems and bug reports down the line. I agree with the above but it's not the case here. Packages doesn't stay in testing for extended period because actual problems are resolved but because everyone who did his/her job has to wait for someone who didn't. See https://www.archlinux.org/todo/openssl-rebuild-take-2/ . Everything is done except one package and nothing changed for weeks. It's not about blaming anyone because I believe everybody do what they can. It's about finding a way to help those who struggle. When some users are asking about how they can help, answering WE DON'T NEED HELP isn't very appropriate. Even if you don't care at all about it please don't try to discourage those who care.
