Gentoo Archives: gentoo-dev

From: "Róbert Čerňanský" <openhs@×××××××××.com>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Re: Things one could be upset about
Date: Mon, 26 Jan 2015 21:41:17
Message-Id: 20150126224106.5974d97d@amit.mysel
In Reply to: Re: [gentoo-dev] Re: Things one could be upset about by Rich Freeman
1 On Mon, 26 Jan 2015 09:20:30 -0500
2 Rich Freeman <rich0@g.o> wrote:
3
4 > On Mon, Jan 26, 2015 at 8:21 AM, Duncan <1i5t5.duncan@×××.net> wrote:
5 > > The result of the current policy is that if you're waiting for the
6 > > GLSA, unless it's _extreme_ priority (heartbleed level), on at
7 > > least amd64, you're very often sitting there exposed for well over
8 > > a week, and too often a month, after the fix is out there, actually
9 > > installed on /my/ systems. And to me that's a game of Russian
10 > > Roulette odds that I'm simply not willing to play.
11 >
12 > From a PR standpoint we'll be communicating to some users that they
13 > are vulnerable, and we haven't completely fixed the issue yet. I
14 > think we just need to reset expectations here. The fact is that today
15 > they're just as vulnerable, but we don't broadcast that. Sending out
16 > notice sooner will help out users who want to update based on GLSAs,
17 > and if there isn't a stable version yet the user can decide whether to
18 > just wait for testing or move ahead on their own.
19
20 I do check also other sources of security related info and take
21 measures if it affects me (update affected package, change
22 configuration, ...). I should say earlier "security updates" instead
23 of "GLSAs" which would be actually closer to reality.
24
25 I agree that (unfixed) security issues should be communicated so we do
26 not put false hopes to GLSA.
27
28 Robert
29
30
31 --
32 Róbert Èeròanský
33 E-mail: openhs@×××××××××.com
34 Jabber: hs@××××××.sk