Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: Tobias Heinlein <keytoaster@g.o>
Subject: Re: No GLSA since January?!?
Date: Sat, 27 Aug 2011 15:34:27 +0200
Rich Freeman wrote, on 08/27/2011 03:06 PM:
> However, that isn't really what we're discussing here.  What we're
> talking about is GLSAs vs no GLSAs.  Working automated GLSAs
> apparently don't exist right now.  It is wonderful that a bunch of
> people are looking to change that, however it doesn't really change
> the fact that we're not sending out GLSAs, and that makes it hard for
> people to take Gentoo seriously as a distro.

Yes, we are aware of that. We know it's very unfortunate, but just
*stating* it doesn't get us more manpower.

> If the new tool were
> just a few weeks away then a few posts to -dev/-security updating
> status would probably alleviate concerns.  However, I think that
> people have been talking about fixing the GLSA tool for ages now.

We currently believe the tool *is* just a few weeks away; we plan to
meet in person at the end of September. But I don't want to promise
anything as real life may get in the way anytime.

> I think the fundamental problem is failing to distinguish between
> operations and improvements.  You can't put the former on hold to work
> on the latter.

Sure, but that is not the case. It's still possible to use the old
GLSAmaker and send out advisories; the problem is manpower. No-one
currently wants to do the work with the old tool (And no, editing XML
files manually won't motivate people either).

> When resource constraints hit a volunteer project, the solution is
> usually to create a more distributed solution.

That's similar to the bug wrangling situation a while ago. The queue was
huge and everyone knew we needed more people to wrangle the bugs. But
how many people actually did that for more than a few? Not even a handful.

Having maintainers "care" about security just won't work out. That's why
the security team exists in the first place.



References:
No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Alex Legler
Re: No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Kevin Bryan
Re: No GLSA since January?!?
-- Christian Kauhaus
Re: No GLSA since January?!?
-- Rich Freeman
Re: No GLSA since January?!?
-- Tobias Heinlein
Re: No GLSA since January?!?
-- Rich Freeman
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: No GLSA since January?!?
Next by thread:
[OT?] automatically firewalling off IPs
Previous by date:
Re: No GLSA since January?!?
Next by date:
[OT?] automatically firewalling off IPs


Updated May 10, 2012

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.