1 |
On Fri, 2004-03-26 at 07:28, Ben Cressey wrote: |
2 |
> On Friday, March 26, 2004 at 6:48 , Ned Ludd wrote: |
3 |
> |
4 |
> > Yeah.. We don't provide a vulnerability announcement/assessment service. |
5 |
> > We provide updates when they exist. If you would like a vulnerability |
6 |
> > announcement service then you should pay. Or simply track the |
7 |
> > security@g.o via bugzilla as most us do. |
8 |
> |
9 |
> I don't think that suggesting that I pay for a separate vulnerability |
10 |
> service is an appropriate solution. It's not simply that I don't feel like |
11 |
> paying; it's that more so than any other distribution, Gentoo has always had |
12 |
> a "community" feel, at least from the user's perspective. (I gather the |
13 |
> developer side of things is significantly more dictatorial.) Like many of |
14 |
> us on this list I have contributed a lot of my time to answering questions |
15 |
> in the forums. |
16 |
|
17 |
Of course not, I would not want to pay for basics myself either. |
18 |
I only mentioned that so you would see there is a clear distinction in |
19 |
the services we provide. |
20 |
|
21 |
> |
22 |
> So in that vein it seems there should be a community-based way of handling |
23 |
> security fixes. Had this vulnerability been made known two weeks ago, I |
24 |
> could have begun testing the unstable ebuild and submitting feedback about |
25 |
> it that much earlier. It is not so much the lack of a fix that concerns me, |
26 |
> as the lack of any significant discussion of the problem apart from |
27 |
> Bugzilla. |
28 |
|
29 |
Well now that you know where to look hopefully you will become more |
30 |
involved in the process of entering bugs if you see a something that's |
31 |
not in bugzilla that should be there.. |
32 |
|
33 |
|
34 |
> |
35 |
> I take pains to keep my server secure. I am frustrated by the illogic of |
36 |
> regularly foisting annoying "minor" updates -- like the Perl 5.8.0 -> 5.8.2 |
37 |
> that is currently plaguing my update process, since I remember what a |
38 |
> colossal pain the 5.6.0 -> 5.8.0 transition was -- while at the same time |
39 |
> making security fixes highly inaccessible. |
40 |
|
41 |
> (Sure, delete the perfectly functional perl 5.8.0 ebuilds, but leave the |
42 |
> vulnerable courier-imap one in portage. This is the worst of both worlds, |
43 |
> in my opinion.) |
44 |
> |
45 |
|
46 |
Whats all this about? |
47 |
courier-imap still needs proper QA done. |
48 |
|
49 |
> This is the first time I've seen the suggestion to track security@g.o |
50 |
> via Bugzilla. I will do so in the future. |
51 |
|
52 |
That was the underlying goal :) |
53 |
The more people that are tracking the existing bugs the better. |
54 |
The more that are aware and hopefully causing noise in bugzilla |
55 |
the quicker a resolution can hopefully happen. |
56 |
|
57 |
|
58 |
> Ben |
59 |
> |
60 |
> |
61 |
> -- |
62 |
> gentoo-security@g.o mailing list |
63 |
-- |
64 |
Ned Ludd <solar@g.o> |
65 |
Gentoo Linux Developer |