| 1 |
Rich Freeman wrote: |
| 2 |
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@g.o> wrote: |
| 3 |
>> Hi, |
| 4 |
>> |
| 5 |
>> On 18.12.2015 21:06, Mike Gilbert wrote: |
| 6 |
>>> Hi, please review the news item below. |
| 7 |
>> thanks for drafting this news item. However, the usual way to inform |
| 8 |
>> users about security flaws is by sending a GLSA. :) |
| 9 |
>> |
| 10 |
>> Based on your news item, we have drafted a GLSA now. It's currently |
| 11 |
>> pending review by one other member of the security team and we will send |
| 12 |
>> it in a few hours. |
| 13 |
>> |
| 14 |
> << SNIP >> |
| 15 |
> 2. Users probably don't regularly read GLSAs, since for the most part |
| 16 |
> it just tells them to update packages they've probably already |
| 17 |
> updated. How do we make ones that actually have instructions beyond |
| 18 |
> updating stand out? |
| 19 |
> |
| 20 |
> I know I stopped reading GLSAs ages ago, because they tended to tell |
| 21 |
> me to update to a package I had updated to a week before, and when |
| 22 |
> they said something else 90% of the time it was because there was an |
| 23 |
> error in the GLSA (usually this happened with subslots and the GLSA |
| 24 |
> just said <n is vulnerable and the reality is that there were a number |
| 25 |
> of ranges that were vulnerable vs fixed). Granted, I have caught one |
| 26 |
> or two episodes over the years where the actual package might not have |
| 27 |
> been completely addressed and an older slot needed fixing. |
| 28 |
> |
| 29 |
> I guess my point isn't that GLSAs are a bad thing, but users need a |
| 30 |
> really high S/N ratio if we want them to pay attention. We need to |
| 31 |
> separate the mundane from the important. |
| 32 |
> |
| 33 |
|
| 34 |
|
| 35 |
+1. Given all the changes that have been done, I don't even know how to |
| 36 |
read them any more because I stopped a long time ago. |
| 37 |
|
| 38 |
I might add, I also don't read blogs about this sort of thing. About |
| 39 |
the only time I read a blog is if it is linked to here or on -user. |
| 40 |
Other than that, rarely if ever. |
| 41 |
|
| 42 |
All things considered, if it isn't a news item or something I follow on |
| 43 |
this list, I may never know about it. I really depend on the news |
| 44 |
items. Just keep the noise down or folks will start to ignore them too, |
| 45 |
although y'all are good at it only telling us about things that affect us. |
| 46 |
|
| 47 |
Dale |
| 48 |
|
| 49 |
:-) :-) |
Archives