1 |
El sáb, 18-01-2014 a las 18:26 +0100, Alex Legler escribió: |
2 |
> On 18.01.2014 17:30, Pacho Ramos wrote: |
3 |
> > […] |
4 |
> > |
5 |
> > What I want to achieve is to try to get this problem solved, I don't |
6 |
> > think has any sense to have pending GLSA bugs waiting for ages (yes, |
7 |
> > ages), I see this for really a lot of packages, the pointed one was only |
8 |
> > one example, but there are many more (like glib, dotnet stuff...) |
9 |
> |
10 |
> Your message is profoundly lacking any proposed solutions, however it |
11 |
> does contain plenty of complaining. That's not a good way to solve problems. |
12 |
> |
13 |
> > |
14 |
> > Regarding sending this to the whole list (well, I don't understand why |
15 |
> > people in security team want to not get gentoo-dev ML involved), I |
16 |
> > simply did that as I though maybe some help/suggestions could be needed |
17 |
> > taking care clearly the security team is not able to fix this situation |
18 |
> > for really a long time and, hopefully, some other people could help with |
19 |
> > their effort and ideas to fix this long standing issue. |
20 |
> |
21 |
> Assuming that posing to -dev generates magical help or solutions is |
22 |
> quite naive. You're not the first one to post here, but and you're |
23 |
> certainly not the first one whose message didn't help in the slightest. |
24 |
> Thanks for trying though. |
25 |
> |
26 |
> As others on the list have noticed, we are working on fixing things. |
27 |
> Your diagnosis of us being 'clearly' unable to do so is quite |
28 |
> unsubstantiated. You should understand that we can't just make a bug |
29 |
> pile gathered over years disappear in one day. |
30 |
> |
31 |
> > |
32 |
> > The issue is still present even if we don't talk about it and keep |
33 |
> > simply ignoring all bug reports assigned to security and accumulating |
34 |
> > for years. The idea is to try to solve the situation, not to point to |
35 |
> > you, I didn't pointed to you, you will know why do you feel offended |
36 |
> > about this. |
37 |
> > |
38 |
> > |
39 |
> |
40 |
> Noone's offended here. I'm just saying your email doesn't serve a |
41 |
> purpose. If a -dev post was the solution, we'd have it by now. If you'd |
42 |
> like to help in a way we actually think is useful, we'd be glad to have |
43 |
> you fill one of our staffing needs posted or to engage in the |
44 |
> discussions we have on the -security list and on IRC. |
45 |
> |
46 |
|
47 |
Then, how are you finally going to fix this? Only for knowing, I still |
48 |
was seeing some delays and, then, I though situation was not improved. |
49 |
For example, since this year started, I have only seen 8 GLSAs filled: |
50 |
http://www.gentoo.org/security/en/glsa/ |
51 |
|
52 |
Then, I thought something was still wrong as that rate didn't seem |
53 |
enough to me for handling upcoming security issues and the really old |
54 |
ones. Also, if you that 8 GLSAs, you will see the only one that has been |
55 |
done in a fast way is the ntp one, the other 7 took months (or years) to |
56 |
be handled. |
57 |
|
58 |
Then, instead of blaming on how should I have asked for clarification on |
59 |
this (well, looks like the main topic here is that I have asked about |
60 |
this in ML instead of the real problem :O), I think you should focus on |
61 |
explaining how are you fixing this problem. I have been long time |
62 |
wondering about this because: |
63 |
1. I usually get lots of bugs from alias I am a member whose we go fast |
64 |
bumping, calling for stabilization and dropping vulnerable versions and, |
65 |
the, the bugs get stalled. |
66 |
2. Once of the machines I maintain would benefit from being able to use |
67 |
glsacheck to only update vulnerable packages as not always have enough |
68 |
time for updating the full world |