Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "Israel G. Lugo" <israel.lugo@...>
Subject: Re: Re: Kernel Security Update Target Delay?
Date: Sun, 17 Oct 2010 16:54:26 +0100
 I just wanted to clarify that my intent is not to complain, or to imply
that Gentoo devs aren't working hard enough, or that "Gentoo sucks" or
anything of the sort; I may have transmitted the wrong impression in my
previous email, for which I apologize. It is precisely because I
appreciate the dedicated effort of all the Gentoo volunteers, and the
high standards of quality which this distribution has always maintained,
that I would hate to see such efforts subjected to unfair criticism due
to a few isolated procedural problems.

The problem here wasn't, in my opinion, a lack of effort by anyone; as
noted before, the fix was in the tree within hours, or within a day. The
thing is, for whatever reason, the fix only came out a contextually very
long time after that. This is what concerns me, and others I'm sure.
It's very bad for the image of Gentoo, it gives the impression that you
don't take security as seriously as others, and this -- at least in my
view -- couldn't be farther from the truth. The main reason I use Gentoo
Hardened on critical servers is precisely due to the effort and
commitment put in by the security team at every level, from the kernel
and toolchain to the user packages themselves. Nevertheless, the fact
remains that anyone using Hardened was left open to a vulnerability for
a longer time than would have been necessary, given that the fix was
already implemented within the tree. Also, I am concerned for the users
of normal gentoo-sources, who were vulnerable for a very extended period
of time.

I believe that it would be a positive thing to analyze what happened,
and try to learn from it so that next time things go better. I would
submit that sometimes, a lengthy procedure may get in the way of getting
things done; or at least, that the established procedure should be more
flexible to account for these cases.

Regards,
Israel

On 10/17/2010 02:59 PM, Israel G. Lugo wrote:
>  Greetings,
>
> So what's the conclusion on what happened with bug 337645? What can we
> learn from here? That everything went just fine and according to plan?
> That hardly seems like a realistic assessment. If we ignore mistakes
> instead of learning from them, we are doomed to repeat them.
>
> [...]


References:
Re: Kernel Security Update Target Delay?
-- Israel G. Lugo
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Re: Kernel Security Update Target Delay?
Next by thread:
#342619 RESOLVED WONTFIX
Previous by date:
Re: Re: Kernel Security Update Target Delay?
Next by date:
Re: Re: Kernel Security Update Target Delay?


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.