| 1 |
On Sat, Aug 27, 2011 at 8:34 AM, Tobias Heinlein <keytoaster@g.o> wrote: |
| 2 |
> I have read that idea multiple times now, each of them by people not on |
| 3 |
> the security team or something similar. It just doesn't work that way. |
| 4 |
> It's like suggesting to ditch Bugzilla and instead enter bugs manually |
| 5 |
> with SQL commands into a database. Well, not quite, but you get the idea. |
| 6 |
|
| 7 |
So, if we weren't able to log or update any bugs for six months, we |
| 8 |
would probably at least give devs a spreadsheet on google docs or |
| 9 |
something. I wouldn't suggest that we put the distro on hold until |
| 10 |
somebody could re-engineer bugzilla. |
| 11 |
|
| 12 |
If we had an automatic ebuild creator and nobody created ebuilds for |
| 13 |
six months I'd suggest that we create them by hand. |
| 14 |
|
| 15 |
We're talking about emails and xml files - neither of which are |
| 16 |
terribly complex. Exact format on the former is not critical, and the |
| 17 |
syntax of the latter can be checked with standard tools. If on rare |
| 18 |
occasion we get one wrong we fix it - just like we do with ebuilds |
| 19 |
(the libpng glsa still shows stable amd64 as vulnerable, so simply |
| 20 |
having a tool doesn't prevent mistakes). |
| 21 |
|
| 22 |
> |
| 23 |
> Also, as previously stated, we know that the tool sucks, which is why |
| 24 |
> Alex has been working for months on new tools. We really wouldn't spend |
| 25 |
> that much time on that if it wasn't worth it. |
| 26 |
|
| 27 |
I have no doubt that automation is better than no automation. |
| 28 |
However, that isn't really what we're discussing here. What we're |
| 29 |
talking about is GLSAs vs no GLSAs. Working automated GLSAs |
| 30 |
apparently don't exist right now. It is wonderful that a bunch of |
| 31 |
people are looking to change that, however it doesn't really change |
| 32 |
the fact that we're not sending out GLSAs, and that makes it hard for |
| 33 |
people to take Gentoo seriously as a distro. If the new tool were |
| 34 |
just a few weeks away then a few posts to -dev/-security updating |
| 35 |
status would probably alleviate concerns. However, I think that |
| 36 |
people have been talking about fixing the GLSA tool for ages now. |
| 37 |
|
| 38 |
I think the fundamental problem is failing to distinguish between |
| 39 |
operations and improvements. You can't put the former on hold to work |
| 40 |
on the latter. It seems like we're trying to debate how to build the |
| 41 |
Hagia Sophia while we're sleeping on dirt and rocks. In my thinking |
| 42 |
the most critical requirement is that we send out a notice when we |
| 43 |
have a vulnerability, and describe what the vulnerability is (in a |
| 44 |
sentence with links), and what versions are and are not vulnerable. |
| 45 |
When resource constraints hit a volunteer project, the solution is |
| 46 |
usually to create a more distributed solution. |
| 47 |
|
| 48 |
Rich |
Archives