| 1 |
Rich Freeman wrote, on 08/27/2011 03:06 PM: |
| 2 |
> However, that isn't really what we're discussing here. What we're |
| 3 |
> talking about is GLSAs vs no GLSAs. Working automated GLSAs |
| 4 |
> apparently don't exist right now. It is wonderful that a bunch of |
| 5 |
> people are looking to change that, however it doesn't really change |
| 6 |
> the fact that we're not sending out GLSAs, and that makes it hard for |
| 7 |
> people to take Gentoo seriously as a distro. |
| 8 |
|
| 9 |
Yes, we are aware of that. We know it's very unfortunate, but just |
| 10 |
*stating* it doesn't get us more manpower. |
| 11 |
|
| 12 |
> If the new tool were |
| 13 |
> just a few weeks away then a few posts to -dev/-security updating |
| 14 |
> status would probably alleviate concerns. However, I think that |
| 15 |
> people have been talking about fixing the GLSA tool for ages now. |
| 16 |
|
| 17 |
We currently believe the tool *is* just a few weeks away; we plan to |
| 18 |
meet in person at the end of September. But I don't want to promise |
| 19 |
anything as real life may get in the way anytime. |
| 20 |
|
| 21 |
> I think the fundamental problem is failing to distinguish between |
| 22 |
> operations and improvements. You can't put the former on hold to work |
| 23 |
> on the latter. |
| 24 |
|
| 25 |
Sure, but that is not the case. It's still possible to use the old |
| 26 |
GLSAmaker and send out advisories; the problem is manpower. No-one |
| 27 |
currently wants to do the work with the old tool (And no, editing XML |
| 28 |
files manually won't motivate people either). |
| 29 |
|
| 30 |
> When resource constraints hit a volunteer project, the solution is |
| 31 |
> usually to create a more distributed solution. |
| 32 |
|
| 33 |
That's similar to the bug wrangling situation a while ago. The queue was |
| 34 |
huge and everyone knew we needed more people to wrangle the bugs. But |
| 35 |
how many people actually did that for more than a few? Not even a handful. |
| 36 |
|
| 37 |
Having maintainers "care" about security just won't work out. That's why |
| 38 |
the security team exists in the first place. |
Archives