Gentoo Archives: gentoo-dev

From: Pacho Ramos <pacho@g.o>
To: gentoo-dev@l.g.o
Cc: security@g.o
Subject: Re: [gentoo-dev] Regarding long delays on GLSA generation
Date: Sat, 18 Jan 2014 17:39:02
Message-Id: 1390066729.24148.98.camel@belkin5
In Reply to: Re: [gentoo-dev] Regarding long delays on GLSA generation by Alex Legler
1 El sáb, 18-01-2014 a las 18:26 +0100, Alex Legler escribió:
2 > On 18.01.2014 17:30, Pacho Ramos wrote:
3 > > […]
4 > >
5 > > What I want to achieve is to try to get this problem solved, I don't
6 > > think has any sense to have pending GLSA bugs waiting for ages (yes,
7 > > ages), I see this for really a lot of packages, the pointed one was only
8 > > one example, but there are many more (like glib, dotnet stuff...)
9 >
10 > Your message is profoundly lacking any proposed solutions, however it
11 > does contain plenty of complaining. That's not a good way to solve problems.
12 >
13 > >
14 > > Regarding sending this to the whole list (well, I don't understand why
15 > > people in security team want to not get gentoo-dev ML involved), I
16 > > simply did that as I though maybe some help/suggestions could be needed
17 > > taking care clearly the security team is not able to fix this situation
18 > > for really a long time and, hopefully, some other people could help with
19 > > their effort and ideas to fix this long standing issue.
20 >
21 > Assuming that posing to -dev generates magical help or solutions is
22 > quite naive. You're not the first one to post here, but and you're
23 > certainly not the first one whose message didn't help in the slightest.
24 > Thanks for trying though.
25 >
26 > As others on the list have noticed, we are working on fixing things.
27 > Your diagnosis of us being 'clearly' unable to do so is quite
28 > unsubstantiated. You should understand that we can't just make a bug
29 > pile gathered over years disappear in one day.
30 >
31 > >
32 > > The issue is still present even if we don't talk about it and keep
33 > > simply ignoring all bug reports assigned to security and accumulating
34 > > for years. The idea is to try to solve the situation, not to point to
35 > > you, I didn't pointed to you, you will know why do you feel offended
36 > > about this.
37 > >
38 > >
39 >
40 > Noone's offended here. I'm just saying your email doesn't serve a
41 > purpose. If a -dev post was the solution, we'd have it by now. If you'd
42 > like to help in a way we actually think is useful, we'd be glad to have
43 > you fill one of our staffing needs posted or to engage in the
44 > discussions we have on the -security list and on IRC.
45 >
47 Then, how are you finally going to fix this? Only for knowing, I still
48 was seeing some delays and, then, I though situation was not improved.
49 For example, since this year started, I have only seen 8 GLSAs filled:
52 Then, I thought something was still wrong as that rate didn't seem
53 enough to me for handling upcoming security issues and the really old
54 ones. Also, if you that 8 GLSAs, you will see the only one that has been
55 done in a fast way is the ntp one, the other 7 took months (or years) to
56 be handled.
58 Then, instead of blaming on how should I have asked for clarification on
59 this (well, looks like the main topic here is that I have asked about
60 this in ML instead of the real problem :O), I think you should focus on
61 explaining how are you fixing this problem. I have been long time
62 wondering about this because:
63 1. I usually get lots of bugs from alias I am a member whose we go fast
64 bumping, calling for stabilization and dropping vulnerable versions and,
65 the, the bugs get stalled.
66 2. Once of the machines I maintain would benefit from being able to use
67 glsacheck to only update vulnerable packages as not always have enough
68 time for updating the full world


Subject Author
Re: [gentoo-dev] Regarding long delays on GLSA generation Alex Legler <a3li@g.o>