1 |
I just wanted to clarify that my intent is not to complain, or to imply |
2 |
that Gentoo devs aren't working hard enough, or that "Gentoo sucks" or |
3 |
anything of the sort; I may have transmitted the wrong impression in my |
4 |
previous email, for which I apologize. It is precisely because I |
5 |
appreciate the dedicated effort of all the Gentoo volunteers, and the |
6 |
high standards of quality which this distribution has always maintained, |
7 |
that I would hate to see such efforts subjected to unfair criticism due |
8 |
to a few isolated procedural problems. |
9 |
|
10 |
The problem here wasn't, in my opinion, a lack of effort by anyone; as |
11 |
noted before, the fix was in the tree within hours, or within a day. The |
12 |
thing is, for whatever reason, the fix only came out a contextually very |
13 |
long time after that. This is what concerns me, and others I'm sure. |
14 |
It's very bad for the image of Gentoo, it gives the impression that you |
15 |
don't take security as seriously as others, and this -- at least in my |
16 |
view -- couldn't be farther from the truth. The main reason I use Gentoo |
17 |
Hardened on critical servers is precisely due to the effort and |
18 |
commitment put in by the security team at every level, from the kernel |
19 |
and toolchain to the user packages themselves. Nevertheless, the fact |
20 |
remains that anyone using Hardened was left open to a vulnerability for |
21 |
a longer time than would have been necessary, given that the fix was |
22 |
already implemented within the tree. Also, I am concerned for the users |
23 |
of normal gentoo-sources, who were vulnerable for a very extended period |
24 |
of time. |
25 |
|
26 |
I believe that it would be a positive thing to analyze what happened, |
27 |
and try to learn from it so that next time things go better. I would |
28 |
submit that sometimes, a lengthy procedure may get in the way of getting |
29 |
things done; or at least, that the established procedure should be more |
30 |
flexible to account for these cases. |
31 |
|
32 |
Regards, |
33 |
Israel |
34 |
|
35 |
On 10/17/2010 02:59 PM, Israel G. Lugo wrote: |
36 |
> Greetings, |
37 |
> |
38 |
> So what's the conclusion on what happened with bug 337645? What can we |
39 |
> learn from here? That everything went just fine and according to plan? |
40 |
> That hardly seems like a realistic assessment. If we ignore mistakes |
41 |
> instead of learning from them, we are doomed to repeat them. |
42 |
> |
43 |
> [...] |