1 |
Rich Freeman wrote: |
2 |
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@g.o> wrote: |
3 |
>> Hi, |
4 |
>> |
5 |
>> On 18.12.2015 21:06, Mike Gilbert wrote: |
6 |
>>> Hi, please review the news item below. |
7 |
>> thanks for drafting this news item. However, the usual way to inform |
8 |
>> users about security flaws is by sending a GLSA. :) |
9 |
>> |
10 |
>> Based on your news item, we have drafted a GLSA now. It's currently |
11 |
>> pending review by one other member of the security team and we will send |
12 |
>> it in a few hours. |
13 |
>> |
14 |
> << SNIP >> |
15 |
> 2. Users probably don't regularly read GLSAs, since for the most part |
16 |
> it just tells them to update packages they've probably already |
17 |
> updated. How do we make ones that actually have instructions beyond |
18 |
> updating stand out? |
19 |
> |
20 |
> I know I stopped reading GLSAs ages ago, because they tended to tell |
21 |
> me to update to a package I had updated to a week before, and when |
22 |
> they said something else 90% of the time it was because there was an |
23 |
> error in the GLSA (usually this happened with subslots and the GLSA |
24 |
> just said <n is vulnerable and the reality is that there were a number |
25 |
> of ranges that were vulnerable vs fixed). Granted, I have caught one |
26 |
> or two episodes over the years where the actual package might not have |
27 |
> been completely addressed and an older slot needed fixing. |
28 |
> |
29 |
> I guess my point isn't that GLSAs are a bad thing, but users need a |
30 |
> really high S/N ratio if we want them to pay attention. We need to |
31 |
> separate the mundane from the important. |
32 |
> |
33 |
|
34 |
|
35 |
+1. Given all the changes that have been done, I don't even know how to |
36 |
read them any more because I stopped a long time ago. |
37 |
|
38 |
I might add, I also don't read blogs about this sort of thing. About |
39 |
the only time I read a blog is if it is linked to here or on -user. |
40 |
Other than that, rarely if ever. |
41 |
|
42 |
All things considered, if it isn't a news item or something I follow on |
43 |
this list, I may never know about it. I really depend on the news |
44 |
items. Just keep the noise down or folks will start to ignore them too, |
45 |
although y'all are good at it only telling us about things that affect us. |
46 |
|
47 |
Dale |
48 |
|
49 |
:-) :-) |