Gentoo Archives: gentoo-security

From: Rich Freeman <rich0@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Sat, 27 Aug 2011 13:08:03
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Tobias Heinlein
1 On Sat, Aug 27, 2011 at 8:34 AM, Tobias Heinlein <keytoaster@g.o> wrote:
2 > I have read that idea multiple times now, each of them by people not on
3 > the security team or something similar. It just doesn't work that way.
4 > It's like suggesting to ditch Bugzilla and instead enter bugs manually
5 > with SQL commands into a database. Well, not quite, but you get the idea.
7 So, if we weren't able to log or update any bugs for six months, we
8 would probably at least give devs a spreadsheet on google docs or
9 something. I wouldn't suggest that we put the distro on hold until
10 somebody could re-engineer bugzilla.
12 If we had an automatic ebuild creator and nobody created ebuilds for
13 six months I'd suggest that we create them by hand.
15 We're talking about emails and xml files - neither of which are
16 terribly complex. Exact format on the former is not critical, and the
17 syntax of the latter can be checked with standard tools. If on rare
18 occasion we get one wrong we fix it - just like we do with ebuilds
19 (the libpng glsa still shows stable amd64 as vulnerable, so simply
20 having a tool doesn't prevent mistakes).
22 >
23 > Also, as previously stated, we know that the tool sucks, which is why
24 > Alex has been working for months on new tools. We really wouldn't spend
25 > that much time on that if it wasn't worth it.
27 I have no doubt that automation is better than no automation.
28 However, that isn't really what we're discussing here. What we're
29 talking about is GLSAs vs no GLSAs. Working automated GLSAs
30 apparently don't exist right now. It is wonderful that a bunch of
31 people are looking to change that, however it doesn't really change
32 the fact that we're not sending out GLSAs, and that makes it hard for
33 people to take Gentoo seriously as a distro. If the new tool were
34 just a few weeks away then a few posts to -dev/-security updating
35 status would probably alleviate concerns. However, I think that
36 people have been talking about fixing the GLSA tool for ages now.
38 I think the fundamental problem is failing to distinguish between
39 operations and improvements. You can't put the former on hold to work
40 on the latter. It seems like we're trying to debate how to build the
41 Hagia Sophia while we're sleeping on dirt and rocks. In my thinking
42 the most critical requirement is that we send out a notice when we
43 have a vulnerability, and describe what the vulnerability is (in a
44 sentence with links), and what versions are and are not vulnerable.
45 When resource constraints hit a volunteer project, the solution is
46 usually to create a more distributed solution.
48 Rich


Subject Author
Re: [gentoo-security] No GLSA since January?!? Tobias Heinlein <keytoaster@g.o>