On Thu, Mar 18, 2004 at 02:57:14PM +0100 or thereabouts, Koon wrote:
> Could you detail in what areas help is needed, so that we can evaluate 
> if our profiles (free time and knowledge) can fit in ?

We need folks to monitor bugzilla for security-related postings and then
push valid postings through the GLSA process.

> However I had concern recently with the latest kernel GLSA which has 
> been over-delayed in my opinion. I've posted about this in this 
> mailing-list so that we can discuss steps to avoid such delays in the 
> future, but with no answer from the official people in charge.

Kernel GLSAs are difficult because we can't release the GLSA until all our
kernels have been patched.  Our kernel team is also short-staffed, so that
takes time.  Know any good kernel hackers that want to help out?  Send them
my way and I'll make sure they get put in touch with the right person.

> There is one point where I agree with Tobias : too many GLSA diffusion 
> channels might increase the potential sync problems. gentoo main page, 
> forums, mailing-list(s), GLSA-test hub... I think we have to be careful 
> about that.

gentoo-announce is *the* official means of distributing GLSAs.  If you want
to make sure you receive all GLSAs, sign up for that.  We also publish to
external lists as a "best practice" and a way to reach out to the larger
Linux community to ensure they're aware of vulnerabilities as well.

--kurt