1 |
On Sat, Aug 27, 2011 at 8:34 AM, Tobias Heinlein <keytoaster@g.o> wrote: |
2 |
> I have read that idea multiple times now, each of them by people not on |
3 |
> the security team or something similar. It just doesn't work that way. |
4 |
> It's like suggesting to ditch Bugzilla and instead enter bugs manually |
5 |
> with SQL commands into a database. Well, not quite, but you get the idea. |
6 |
|
7 |
So, if we weren't able to log or update any bugs for six months, we |
8 |
would probably at least give devs a spreadsheet on google docs or |
9 |
something. I wouldn't suggest that we put the distro on hold until |
10 |
somebody could re-engineer bugzilla. |
11 |
|
12 |
If we had an automatic ebuild creator and nobody created ebuilds for |
13 |
six months I'd suggest that we create them by hand. |
14 |
|
15 |
We're talking about emails and xml files - neither of which are |
16 |
terribly complex. Exact format on the former is not critical, and the |
17 |
syntax of the latter can be checked with standard tools. If on rare |
18 |
occasion we get one wrong we fix it - just like we do with ebuilds |
19 |
(the libpng glsa still shows stable amd64 as vulnerable, so simply |
20 |
having a tool doesn't prevent mistakes). |
21 |
|
22 |
> |
23 |
> Also, as previously stated, we know that the tool sucks, which is why |
24 |
> Alex has been working for months on new tools. We really wouldn't spend |
25 |
> that much time on that if it wasn't worth it. |
26 |
|
27 |
I have no doubt that automation is better than no automation. |
28 |
However, that isn't really what we're discussing here. What we're |
29 |
talking about is GLSAs vs no GLSAs. Working automated GLSAs |
30 |
apparently don't exist right now. It is wonderful that a bunch of |
31 |
people are looking to change that, however it doesn't really change |
32 |
the fact that we're not sending out GLSAs, and that makes it hard for |
33 |
people to take Gentoo seriously as a distro. If the new tool were |
34 |
just a few weeks away then a few posts to -dev/-security updating |
35 |
status would probably alleviate concerns. However, I think that |
36 |
people have been talking about fixing the GLSA tool for ages now. |
37 |
|
38 |
I think the fundamental problem is failing to distinguish between |
39 |
operations and improvements. You can't put the former on hold to work |
40 |
on the latter. It seems like we're trying to debate how to build the |
41 |
Hagia Sophia while we're sleeping on dirt and rocks. In my thinking |
42 |
the most critical requirement is that we send out a notice when we |
43 |
have a vulnerability, and describe what the vulnerability is (in a |
44 |
sentence with links), and what versions are and are not vulnerable. |
45 |
When resource constraints hit a volunteer project, the solution is |
46 |
usually to create a more distributed solution. |
47 |
|
48 |
Rich |