Gentoo Archives: gentoo-security

From: Tobias Weisserth <tobias@×××××××××.de>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Gentoo security policy
Date: Thu, 18 Mar 2004 11:38:04
1 Hello everybody,
3 There seems to be a HUGE problem with consistency in Gentoo security
4 announcements and coordination among Gentoo maintainers.
6 Step by step:
8 Why does it take Gentoo that long to react to security issues?
10 Where can I get information about who is responsible for announcing
11 Gentoo security related issues? Is there an official Gentoo security
12 team like Debian has? Is there a single, responsible security
13 manager/director?
15 Why are security announcements not handled in a consistent way? Just one
16 example: There are at least three places where I have found Gentoo
17 security announcements but not a single of these announcements appeared
18 in all of these places. Rather I have to search for all of those
19 announcements across several non-related media to collect them all. This
20 is outrageous.
22 Take the latest OpenSSL issue. Aida Escriva-Sammer posted a security
23 announcement to full-disclosure. WHY CAN'T I FIND THIS SAME ANNOUNCEMENT
24 IN THE OFFICIAL GENTOO ANNOUNCEMENT LISTS?!?!?! Sorry for the screaming,
25 but if the people behind Gentoo want Gentoo to be considered a
26 professional and productive distribution that is equal to Debian, Red
27 Hat, SuSE and the like, then you need to handle these matters in a
28 professional way. What you are doing right now IS NOT professional. It
29 is dangerously careless. You are irresponsible by acting this way,
30 endangering everybody who chooses to use Gentoo by making them believe
31 their distribution is maintained properly because they saw some good
32 looking security announcement at some point while they miss almost 60%
33 of other critical issues.
35 The latest security announcement on gentoo-announce is "Honeyd remote
36 detection vulnerability" by Tim Yamin. This is just embarrassing. If you
37 look at
38 you'll see that the latest announcement there is "Linux kernel do_mremap local privilege escalation". HOW DO YOU EXPLAIN THESE INCONSISTENT ANNOUNCEMENTS?
40 Security announcements are totally out of sync, some are never issued
41 using the appropriate channels and most them are released hours,
42 sometimes days after other distributors do.
44 I can only advise you to take security more serious. Running any machine
45 in a productive environment with Gentoo is totally out of the question
46 as long as these matters are not handled in an appropriate way. So long,
47 Gentoo is only suitable for use at home to play around unless of course
48 every Gentoo user is his own security team.
50 I hope this is a wakeup call. Take care.
52 kind regards,
53 Tobias Weisserth
55 p.s.: I have posted this same message to the Gentoo forums.
57 --
58 ***************************************************
59 ____ _____
60 | _ \| ____| Tobias Weisserth
61 | | | | _| tobias@weisserth.[de|com|net|org]
62 _| |_| | |___
63 (_)____/|_____|
65 Encrypted mail is welcome.
66 Key and fingerprint:
68 ***************************************************


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] Gentoo security policy Marius Mauch <genone@g.o>
Re: [gentoo-security] Gentoo security policy Kurt Lieber <klieber@g.o>
Re: [gentoo-security] Gentoo security policy Joshua Brindle <method@g.o>