| 1 |
El sáb, 18-01-2014 a las 18:26 +0100, Alex Legler escribió: |
| 2 |
> On 18.01.2014 17:30, Pacho Ramos wrote: |
| 3 |
> > […] |
| 4 |
> > |
| 5 |
> > What I want to achieve is to try to get this problem solved, I don't |
| 6 |
> > think has any sense to have pending GLSA bugs waiting for ages (yes, |
| 7 |
> > ages), I see this for really a lot of packages, the pointed one was only |
| 8 |
> > one example, but there are many more (like glib, dotnet stuff...) |
| 9 |
> |
| 10 |
> Your message is profoundly lacking any proposed solutions, however it |
| 11 |
> does contain plenty of complaining. That's not a good way to solve problems. |
| 12 |
> |
| 13 |
> > |
| 14 |
> > Regarding sending this to the whole list (well, I don't understand why |
| 15 |
> > people in security team want to not get gentoo-dev ML involved), I |
| 16 |
> > simply did that as I though maybe some help/suggestions could be needed |
| 17 |
> > taking care clearly the security team is not able to fix this situation |
| 18 |
> > for really a long time and, hopefully, some other people could help with |
| 19 |
> > their effort and ideas to fix this long standing issue. |
| 20 |
> |
| 21 |
> Assuming that posing to -dev generates magical help or solutions is |
| 22 |
> quite naive. You're not the first one to post here, but and you're |
| 23 |
> certainly not the first one whose message didn't help in the slightest. |
| 24 |
> Thanks for trying though. |
| 25 |
> |
| 26 |
> As others on the list have noticed, we are working on fixing things. |
| 27 |
> Your diagnosis of us being 'clearly' unable to do so is quite |
| 28 |
> unsubstantiated. You should understand that we can't just make a bug |
| 29 |
> pile gathered over years disappear in one day. |
| 30 |
> |
| 31 |
> > |
| 32 |
> > The issue is still present even if we don't talk about it and keep |
| 33 |
> > simply ignoring all bug reports assigned to security and accumulating |
| 34 |
> > for years. The idea is to try to solve the situation, not to point to |
| 35 |
> > you, I didn't pointed to you, you will know why do you feel offended |
| 36 |
> > about this. |
| 37 |
> > |
| 38 |
> > |
| 39 |
> |
| 40 |
> Noone's offended here. I'm just saying your email doesn't serve a |
| 41 |
> purpose. If a -dev post was the solution, we'd have it by now. If you'd |
| 42 |
> like to help in a way we actually think is useful, we'd be glad to have |
| 43 |
> you fill one of our staffing needs posted or to engage in the |
| 44 |
> discussions we have on the -security list and on IRC. |
| 45 |
> |
| 46 |
|
| 47 |
Then, how are you finally going to fix this? Only for knowing, I still |
| 48 |
was seeing some delays and, then, I though situation was not improved. |
| 49 |
For example, since this year started, I have only seen 8 GLSAs filled: |
| 50 |
http://www.gentoo.org/security/en/glsa/ |
| 51 |
|
| 52 |
Then, I thought something was still wrong as that rate didn't seem |
| 53 |
enough to me for handling upcoming security issues and the really old |
| 54 |
ones. Also, if you that 8 GLSAs, you will see the only one that has been |
| 55 |
done in a fast way is the ntp one, the other 7 took months (or years) to |
| 56 |
be handled. |
| 57 |
|
| 58 |
Then, instead of blaming on how should I have asked for clarification on |
| 59 |
this (well, looks like the main topic here is that I have asked about |
| 60 |
this in ML instead of the real problem :O), I think you should focus on |
| 61 |
explaining how are you fixing this problem. I have been long time |
| 62 |
wondering about this because: |
| 63 |
1. I usually get lots of bugs from alias I am a member whose we go fast |
| 64 |
bumping, calling for stabilization and dropping vulnerable versions and, |
| 65 |
the, the bugs get stalled. |
| 66 |
2. Once of the machines I maintain would benefit from being able to use |
| 67 |
glsacheck to only update vulnerable packages as not always have enough |
| 68 |
time for updating the full world |
Archives