Gentoo Archives: gentoo-security

From: Ned Ludd <solar@g.o>
To: Ben Cressey <ben@×××××.org>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] courier-imap
Date: Fri, 26 Mar 2004 18:35:39
Message-Id: 1080326120.7548.102.camel@simple
In Reply to: Re: [gentoo-security] courier-imap by Ben Cressey
1 On Fri, 2004-03-26 at 07:28, Ben Cressey wrote:
2 > On Friday, March 26, 2004 at 6:48 , Ned Ludd wrote:
3 >
4 > > Yeah.. We don't provide a vulnerability announcement/assessment service.
5 > > We provide updates when they exist. If you would like a vulnerability
6 > > announcement service then you should pay. Or simply track the
7 > > security@g.o via bugzilla as most us do.
8 >
9 > I don't think that suggesting that I pay for a separate vulnerability
10 > service is an appropriate solution. It's not simply that I don't feel like
11 > paying; it's that more so than any other distribution, Gentoo has always had
12 > a "community" feel, at least from the user's perspective. (I gather the
13 > developer side of things is significantly more dictatorial.) Like many of
14 > us on this list I have contributed a lot of my time to answering questions
15 > in the forums.
16
17 Of course not, I would not want to pay for basics myself either.
18 I only mentioned that so you would see there is a clear distinction in
19 the services we provide.
20
21 >
22 > So in that vein it seems there should be a community-based way of handling
23 > security fixes. Had this vulnerability been made known two weeks ago, I
24 > could have begun testing the unstable ebuild and submitting feedback about
25 > it that much earlier. It is not so much the lack of a fix that concerns me,
26 > as the lack of any significant discussion of the problem apart from
27 > Bugzilla.
28
29 Well now that you know where to look hopefully you will become more
30 involved in the process of entering bugs if you see a something that's
31 not in bugzilla that should be there..
32
33
34 >
35 > I take pains to keep my server secure. I am frustrated by the illogic of
36 > regularly foisting annoying "minor" updates -- like the Perl 5.8.0 -> 5.8.2
37 > that is currently plaguing my update process, since I remember what a
38 > colossal pain the 5.6.0 -> 5.8.0 transition was -- while at the same time
39 > making security fixes highly inaccessible.
40
41 > (Sure, delete the perfectly functional perl 5.8.0 ebuilds, but leave the
42 > vulnerable courier-imap one in portage. This is the worst of both worlds,
43 > in my opinion.)
44 >
45
46 Whats all this about?
47 courier-imap still needs proper QA done.
48
49 > This is the first time I've seen the suggestion to track security@g.o
50 > via Bugzilla. I will do so in the future.
51
52 That was the underlying goal :)
53 The more people that are tracking the existing bugs the better.
54 The more that are aware and hopefully causing noise in bugzilla
55 the quicker a resolution can hopefully happen.
56
57
58 > Ben
59 >
60 >
61 > --
62 > gentoo-security@g.o mailing list
63 --
64 Ned Ludd <solar@g.o>
65 Gentoo Linux Developer

Attachments

File name MIME type
signature.asc application/pgp-signature