List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
On Thu, Mar 18, 2004 at 12:37:09PM +0100 or thereabouts, Tobias Weisserth wrote:
> Why does it take Gentoo that long to react to security issues?
Because we don't have enough people on-staff willing to help out with these
types of issues.
> Where can I get information about who is responsible for announcing
> Gentoo security related issues? Is there an official Gentoo security
> team like Debian has? Is there a single, responsible security
Myself and Joshua Brindle (method) have recently assumed repsonsibility for
the security project.
> Why are security announcements not handled in a consistent way? Just one
> example: There are at least three places where I have found Gentoo
> security announcements but not a single of these announcements appeared
> in all of these places. Rather I have to search for all of those
> announcements across several non-related media to collect them all. This
> is outrageous.
At least recently (say the last 5-6 GLSAs), everything should have been
> Take the latest OpenSSL issue. Aida Escriva-Sammer posted a security
> announcement to full-disclosure. WHY CAN'T I FIND THIS SAME ANNOUNCEMENT
> IN THE OFFICIAL GENTOO ANNOUNCEMENT LISTS?!?!?! Sorry for the screaming,
> but if the people behind Gentoo want Gentoo to be considered a
> professional and productive distribution that is equal to Debian, Red
> Hat, SuSE and the like, then you need to handle these matters in a
> professional way. What you are doing right now IS NOT professional. It
> is dangerously careless. You are irresponsible by acting this way,
> endangering everybody who chooses to use Gentoo by making them believe
> their distribution is maintained properly because they saw some good
> looking security announcement at some point while they miss almost 60%
> of other critical issues.
Screaming will get you nowhere except directed to my bit-bucket. If you
have ideas on how to improve things and are willing to back that up with
investing your own time and effort as well, then great. We can always use
> The latest security announcement on gentoo-announce is "Honeyd remote
> detection vulnerability" by Tim Yamin. This is just embarrassing. If you
> look at
> http://forums.gentoo.org/viewforum.php?f=16&sid=fbf41b023affaed791f083666ea5352b you'll see that the latest announcement there is "Linux kernel do_mremap local privilege escalation". HOW DO YOU EXPLAIN THESE INCONSISTENT ANNOUNCEMENTS?
I explain them by saying your facts are incorrect.
> Security announcements are totally out of sync, some are never issued
> using the appropriate channels and most them are released hours,
> sometimes days after other distributors do.
So put your money (or, in this case, your time) where your mouth is and
> I can only advise you to take security more serious. Running any machine
> in a productive environment with Gentoo is totally out of the question
> as long as these matters are not handled in an appropriate way. So long,
> Gentoo is only suitable for use at home to play around unless of course
> every Gentoo user is his own security team.
> I hope this is a wakeup call. Take care.
We're a volunteer organization and we depend on people to volunteer their
time. As I mentioned, we're short-staffed at the moment. Want to help?
Drop me an email.