I just wanted to clarify that my intent is not to complain, or to imply
that Gentoo devs aren't working hard enough, or that "Gentoo sucks" or
anything of the sort; I may have transmitted the wrong impression in my
previous email, for which I apologize. It is precisely because I
appreciate the dedicated effort of all the Gentoo volunteers, and the
high standards of quality which this distribution has always maintained,
that I would hate to see such efforts subjected to unfair criticism due
to a few isolated procedural problems.
The problem here wasn't, in my opinion, a lack of effort by anyone; as
noted before, the fix was in the tree within hours, or within a day. The
thing is, for whatever reason, the fix only came out a contextually very
long time after that. This is what concerns me, and others I'm sure.
It's very bad for the image of Gentoo, it gives the impression that you
don't take security as seriously as others, and this -- at least in my
view -- couldn't be farther from the truth. The main reason I use Gentoo
Hardened on critical servers is precisely due to the effort and
commitment put in by the security team at every level, from the kernel
and toolchain to the user packages themselves. Nevertheless, the fact
remains that anyone using Hardened was left open to a vulnerability for
a longer time than would have been necessary, given that the fix was
already implemented within the tree. Also, I am concerned for the users
of normal gentoo-sources, who were vulnerable for a very extended period
I believe that it would be a positive thing to analyze what happened,
and try to learn from it so that next time things go better. I would
submit that sometimes, a lengthy procedure may get in the way of getting
things done; or at least, that the established procedure should be more
flexible to account for these cases.
On 10/17/2010 02:59 PM, Israel G. Lugo wrote:
> So what's the conclusion on what happened with bug 337645? What can we
> learn from here? That everything went just fine and according to plan?
> That hardly seems like a realistic assessment. If we ignore mistakes
> instead of learning from them, we are doomed to repeat them.