On Thu, Mar 18, 2004 at 12:37:09PM +0100 or thereabouts, Tobias Weisserth wrote:
> Why does it take Gentoo that long to react to security issues?

Because we don't have enough people on-staff willing to help out with these
types of issues.

> Where can I get information about who is responsible for announcing
> Gentoo security related issues? Is there an official Gentoo security
> team like Debian has? Is there a single, responsible security
> manager/director?

Myself and Joshua Brindle (method) have recently assumed repsonsibility for
the security project.

> Why are security announcements not handled in a consistent way? Just one
> example: There are at least three places where I have found Gentoo
> security announcements but not a single of these announcements appeared
> in all of these places. Rather I have to search for all of those
> announcements across several non-related media to collect them all. This
> is outrageous.

At least recently (say the last 5-6 GLSAs), everything should have been
consistent.

> Take the latest OpenSSL issue. Aida Escriva-Sammer posted a security
> announcement to full-disclosure. WHY CAN'T I FIND THIS SAME ANNOUNCEMENT
> IN THE OFFICIAL GENTOO ANNOUNCEMENT LISTS?!?!?! Sorry for the screaming,
> but if the people behind Gentoo want Gentoo to be considered a
> professional and productive distribution that is equal to Debian, Red
> Hat, SuSE and the like, then you need to handle these matters in a
> professional way. What you are doing right now IS NOT professional. It
> is dangerously careless. You are irresponsible by acting this way,
> endangering everybody who chooses to use Gentoo by making them believe
> their distribution is maintained properly because they saw some good
> looking security announcement at some point while they miss almost 60%
> of other critical issues.

Screaming will get you nowhere except directed to my bit-bucket.  If you
have ideas on how to improve things and are willing to back that up with
investing your own time and effort as well, then great.  We can always use
more help.


> The latest security announcement on gentoo-announce is "Honeyd remote
> detection vulnerability" by Tim Yamin. This is just embarrassing. If you
> look at
> http://forums.gentoo.org/viewforum.php?f=16&sid=fbf41b023affaed791f083666ea5352b you'll see that the latest announcement there is "Linux kernel do_mremap local privilege escalation". HOW DO YOU EXPLAIN THESE INCONSISTENT ANNOUNCEMENTS?

I explain them by saying your facts are incorrect.

> Security announcements are totally out of sync, some are never issued
> using the appropriate channels and most them are released hours,
> sometimes days after other distributors do.

So put your money (or, in this case, your time) where your mouth is and
help out.

> I can only advise you to take security more serious. Running any machine
> in a productive environment with Gentoo is totally out of the question
> as long as these matters are not handled in an appropriate way. So long,
> Gentoo is only suitable for use at home to play around unless of course
> every Gentoo user is his own security team.
> 
> I hope this is a wakeup call. Take care.

We're a volunteer organization and we depend on people to volunteer their
time.  As I mentioned, we're short-staffed at the moment.  Want to help?
Drop me an email. 

--kurt