1 |
On Mon, 26 Jan 2015 09:20:30 -0500 |
2 |
Rich Freeman <rich0@g.o> wrote: |
3 |
|
4 |
> On Mon, Jan 26, 2015 at 8:21 AM, Duncan <1i5t5.duncan@×××.net> wrote: |
5 |
> > The result of the current policy is that if you're waiting for the |
6 |
> > GLSA, unless it's _extreme_ priority (heartbleed level), on at |
7 |
> > least amd64, you're very often sitting there exposed for well over |
8 |
> > a week, and too often a month, after the fix is out there, actually |
9 |
> > installed on /my/ systems. And to me that's a game of Russian |
10 |
> > Roulette odds that I'm simply not willing to play. |
11 |
> |
12 |
> From a PR standpoint we'll be communicating to some users that they |
13 |
> are vulnerable, and we haven't completely fixed the issue yet. I |
14 |
> think we just need to reset expectations here. The fact is that today |
15 |
> they're just as vulnerable, but we don't broadcast that. Sending out |
16 |
> notice sooner will help out users who want to update based on GLSAs, |
17 |
> and if there isn't a stable version yet the user can decide whether to |
18 |
> just wait for testing or move ahead on their own. |
19 |
|
20 |
I do check also other sources of security related info and take |
21 |
measures if it affects me (update affected package, change |
22 |
configuration, ...). I should say earlier "security updates" instead |
23 |
of "GLSAs" which would be actually closer to reality. |
24 |
|
25 |
I agree that (unfixed) security issues should be communicated so we do |
26 |
not put false hopes to GLSA. |
27 |
|
28 |
Robert |
29 |
|
30 |
|
31 |
-- |
32 |
Róbert Èeròanský |
33 |
E-mail: openhs@×××××××××.com |
34 |
Jabber: hs@××××××.sk |