Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
Hello everybody,
There seems to be a HUGE problem with consistency in Gentoo security
announcements and coordination among Gentoo maintainers.
Step by step:
Why does it take Gentoo that long to react to security issues?
Where can I get information about who is responsible for announcing
Gentoo security related issues? Is there an official Gentoo security
team like Debian has? Is there a single, responsible security
manager/director?
Why are security announcements not handled in a consistent way? Just one
example: There are at least three places where I have found Gentoo
security announcements but not a single of these announcements appeared
in all of these places. Rather I have to search for all of those
announcements across several non-related media to collect them all. This
is outrageous.
Take the latest OpenSSL issue. Aida Escriva-Sammer posted a security
announcement to full-disclosure. WHY CAN'T I FIND THIS SAME ANNOUNCEMENT
IN THE OFFICIAL GENTOO ANNOUNCEMENT LISTS?!?!?! Sorry for the screaming,
but if the people behind Gentoo want Gentoo to be considered a
professional and productive distribution that is equal to Debian, Red
Hat, SuSE and the like, then you need to handle these matters in a
professional way. What you are doing right now IS NOT professional. It
is dangerously careless. You are irresponsible by acting this way,
endangering everybody who chooses to use Gentoo by making them believe
their distribution is maintained properly because they saw some good
looking security announcement at some point while they miss almost 60%
of other critical issues.
The latest security announcement on gentoo-announce is "Honeyd remote
detection vulnerability" by Tim Yamin. This is just embarrassing. If you
look at
http://forums.gentoo.org/viewforum.php?f=16&sid=fbf41b023affaed791f083666ea5352b you'll see that the latest announcement there is "Linux kernel do_mremap local privilege escalation". HOW DO YOU EXPLAIN THESE INCONSISTENT ANNOUNCEMENTS?
Security announcements are totally out of sync, some are never issued
using the appropriate channels and most them are released hours,
sometimes days after other distributors do.
I can only advise you to take security more serious. Running any machine
in a productive environment with Gentoo is totally out of the question
as long as these matters are not handled in an appropriate way. So long,
Gentoo is only suitable for use at home to play around unless of course
every Gentoo user is his own security team.
I hope this is a wakeup call. Take care.
kind regards,
Tobias Weisserth
p.s.: I have posted this same message to the Gentoo forums.
--
***************************************************
____ _____
| _ \| ____| Tobias Weisserth
| | | | _| tobias@weisserth.[de|com|net|org]
_| |_| | |___ http://www.weisserth.org
(_)____/|_____|
Encrypted mail is welcome.
Key and fingerprint: http://imprint.weisserth.org
***************************************************
|
| Attachment: |
|
signature.asc (Dies ist ein digital signierter Nachrichtenteil)
|
|
