I just published an article over at LWN called “The state of Gentoo.” In it, I talk about Gentoo’s progress over the past few years as well as its current problems, how they’re affecting Gentoo’s user and developer communities, and how to begin fixing them.
I’ve gotten a lot of positive feedback from our developers on the article so I’m confident that it’s generally a fair representation of where things stand today. However, Alex Legler (a3li) kindly told me our security team does much more behind the scenes to report vulnerabilities and get updated packages stabilized, even if we don’t see the results in the form of GLSAs.
Striving for greatness 
It is a much better strategy to get maintainers to fix the issues than to do everything yourselves.
That’s the same thing I was saying to Alex a couple of days ago. He thought there wasn’t much more they could offload, because maintainers of many packages don’t actually follow security issues.
Your suggestion doesn’t make any sense. Maintainers *do* fix the issues. The other things like filing the issue properly, rating its severity and making sure that they get stabilized right away, is what we do. In many cases maintainers already take care of the stabilizing part after bumping a package, so that we just have to give ‘finishing touches’ to the information listed in Bugzilla.
So, there’s not much more left we can or have to delegate, otherwise every developer would need a ‘Security Policies 101’ course before they could start.
Thanks for the article. I wonder whether some web page with requests for help which would drive users or developers directly where they are needed would be the thing to consider. GNU Savannah is service simmilar to this but I do not know how many people use it.
I agree that security on Gentoo is generally good as long as you accept all updates. If you depend on GLSAs you will get burned (at the moment).
Rich, you know, repeating the same statement on several forums over and over again doesn’t make the situation any better. Have you offered any kind of actual help yet? (No, suggesting to write the advisories in plain XML is no help)
It’s for that reason I wrote a helper application called “cvechecker”, allowing me to track public known vulnerabilities (identified through their CVE) and their effect on my system (as scanned by cvechecker or handed by a configuration file). It’s not fool-proof, but handy nonetheless.
Thank you for the whole article, I think Gentoo badly needed a summary of the past few years. It is good news that devs agree about its contents, even better that you took the burden of writing all of this and made it public.
Having statistics about devs is interesting, but I think you should also try to do something out of the forums statistics, because that’s definitely the main place where you can find active users. And as someone pointed out in the LWN comments, the whole purpose of a distribution is its users.
I’m just going to point out that, as a user, I never felt compelled to try to become a dev because of all the ego wars that broke out a few years ago. I think the light was never brought out completely on that dark period, maybe it’s too late now, but I have a general feeling that many good devs resigned leaving some bad ones in control (or at least, untouched). I’m not talking here about talent in programming, of course, but devs as people and their social behaviour. Creating devrel always seemed to me like applying a patch but not fixing the problem at its roots.
Also, I think Gentoo needs to do better in terms of communication, if only internally (towards its users). You explain in your article how the EAPI was upgraded several times, but was there ever a single piece of news somewhere to tell the users about it? The answer is simple: no. And please, I don’t want to have to read the gentoo-dev ML to know what’s new in Portage. Devs should be proud to announce the enhancements brought. The main web page (www.gentoo.org) is cluttered with peripheral information like planet posts and new packages added. I’d like to see more articles like the “Qt 4.7 and KDE 4.6 going stable, finally!” one. That kind of article should be the norm, not the exception.
And yes, there’s definitely some lag with regards to security when you’re using a stable system. The latest stable version of Firefox is 3.6.20, which means the DigiNotar certificates aren’t revoked. It’s been 3 weeks, there’s even a 3.6.22 too revoking something else, why is it taking so long? It’s not like I’m talking about some obscure package used by 3 people in the world in which a local exploit was discovered. There’s something really wrong here.
The current organisation of Gentoo seems like a giant bureaucracy in which it takes forever for something to happen. A big change is needed, IMHO.
Hi Thomas,
I have contacted mozilla team to know about this situation with firefox and, sadly, it’s caused by low man power as some devs don’t have much time for gentoo just now 😦
The solution for this is hard as, without fresh blood, we cannot do much more currently. Jory will focus on bumping them and trying to get them stabilized soon but, if you feel you could be ready to become a gentoo dev, I wouldn’t doubt in mail to gentoo-dev mailing list asking for a mentor to you.
Thanks a lot and sorry for the inconvenience
Thanks for the update. I’m an old gentoo arch-tester, and I left during the “troubles”. I still look to gentoo as my source for how to do it the right way, but I run Arch now because I’m Canadian, eh.
One good way to measure a community is to request the channel list from freenode, and sort by number of users per channel. Gentoo is always near the top (currently 8th on my last search). That tells me the community is still quite strong.
“but I run Arch now because I’m Canadian, eh.”
retard
Why didn’t you link straight to LWN? The URL is already pretty short (http://lwn.net/Articles/458794/) and since this isn’t twitter, it doesn’t count against your character count, and I don’t have to type it in by hand.. and better yet, it actually works (bit.ly seems to be down right now).
I use bit.ly to aggregate stats for clicks on my links from a variety of sources.
First, thank you for the article!
Second, in the article you write about looong migration of portage tree to vcs, isn’t it possible to “copy” it from Funtoo project? They have nice scripts for it 🙂
It’s not the repo conversion itself, it’s all of the supporting infrastructure we need. Git hooks, GPG-secured commits and pushes, and so on. Check out the tracker bug linked in the story.