| 1 |
I just wanted to clarify that my intent is not to complain, or to imply |
| 2 |
that Gentoo devs aren't working hard enough, or that "Gentoo sucks" or |
| 3 |
anything of the sort; I may have transmitted the wrong impression in my |
| 4 |
previous email, for which I apologize. It is precisely because I |
| 5 |
appreciate the dedicated effort of all the Gentoo volunteers, and the |
| 6 |
high standards of quality which this distribution has always maintained, |
| 7 |
that I would hate to see such efforts subjected to unfair criticism due |
| 8 |
to a few isolated procedural problems. |
| 9 |
|
| 10 |
The problem here wasn't, in my opinion, a lack of effort by anyone; as |
| 11 |
noted before, the fix was in the tree within hours, or within a day. The |
| 12 |
thing is, for whatever reason, the fix only came out a contextually very |
| 13 |
long time after that. This is what concerns me, and others I'm sure. |
| 14 |
It's very bad for the image of Gentoo, it gives the impression that you |
| 15 |
don't take security as seriously as others, and this -- at least in my |
| 16 |
view -- couldn't be farther from the truth. The main reason I use Gentoo |
| 17 |
Hardened on critical servers is precisely due to the effort and |
| 18 |
commitment put in by the security team at every level, from the kernel |
| 19 |
and toolchain to the user packages themselves. Nevertheless, the fact |
| 20 |
remains that anyone using Hardened was left open to a vulnerability for |
| 21 |
a longer time than would have been necessary, given that the fix was |
| 22 |
already implemented within the tree. Also, I am concerned for the users |
| 23 |
of normal gentoo-sources, who were vulnerable for a very extended period |
| 24 |
of time. |
| 25 |
|
| 26 |
I believe that it would be a positive thing to analyze what happened, |
| 27 |
and try to learn from it so that next time things go better. I would |
| 28 |
submit that sometimes, a lengthy procedure may get in the way of getting |
| 29 |
things done; or at least, that the established procedure should be more |
| 30 |
flexible to account for these cases. |
| 31 |
|
| 32 |
Regards, |
| 33 |
Israel |
| 34 |
|
| 35 |
On 10/17/2010 02:59 PM, Israel G. Lugo wrote: |
| 36 |
> Greetings, |
| 37 |
> |
| 38 |
> So what's the conclusion on what happened with bug 337645? What can we |
| 39 |
> learn from here? That everything went just fine and according to plan? |
| 40 |
> That hardly seems like a realistic assessment. If we ignore mistakes |
| 41 |
> instead of learning from them, we are doomed to repeat them. |
| 42 |
> |
| 43 |
> [...] |
Archives