| 1 |
On 03/18/04 Tobias Weisserth wrote: |
| 2 |
|
| 3 |
> Hello everybody, |
| 4 |
> |
| 5 |
> There seems to be a HUGE problem with consistency in Gentoo security |
| 6 |
> announcements and coordination among Gentoo maintainers. |
| 7 |
> |
| 8 |
> Step by step: |
| 9 |
> |
| 10 |
> Why does it take Gentoo that long to react to security issues? |
| 11 |
> |
| 12 |
> Where can I get information about who is responsible for announcing |
| 13 |
> Gentoo security related issues? Is there an official Gentoo security |
| 14 |
> team like Debian has? Is there a single, responsible security |
| 15 |
> manager/director? |
| 16 |
|
| 17 |
security@g.o, I admit it's not very organized at the moment. |
| 18 |
|
| 19 |
> Why are security announcements not handled in a consistent way? Just |
| 20 |
> one example: There are at least three places where I have found Gentoo |
| 21 |
> security announcements but not a single of these announcements |
| 22 |
> appeared in all of these places. Rather I have to search for all of |
| 23 |
> those announcements across several non-related media to collect them |
| 24 |
> all. This is outrageous. |
| 25 |
|
| 26 |
All security announcements should be posted on the gentoo-announce |
| 27 |
mailing list, in the near future they'll also show up on |
| 28 |
http://security.gentoo.org/glsa/ |
| 29 |
|
| 30 |
> Take the latest OpenSSL issue. Aida Escriva-Sammer posted a security |
| 31 |
> announcement to full-disclosure. WHY CAN'T I FIND THIS SAME |
| 32 |
> ANNOUNCEMENT IN THE OFFICIAL GENTOO ANNOUNCEMENT LISTS?!?!?! |
| 33 |
|
| 34 |
Don't know why you can't but I see it there ... |
| 35 |
|
| 36 |
> The latest security announcement on gentoo-announce is "Honeyd remote |
| 37 |
> detection vulnerability" by Tim Yamin. This is just embarrassing. If |
| 38 |
> you look at |
| 39 |
> http://forums.gentoo.org/viewforum.php?f=16&sid=fbf41b023affaed791f083666ea5352b |
| 40 |
> you'll see that the latest announcement there is "Linux kernel |
| 41 |
> do_mremap local privilege escalation". HOW DO YOU EXPLAIN THESE |
| 42 |
> INCONSISTENT ANNOUNCEMENTS? |
| 43 |
|
| 44 |
Check your subscription to gentoo-announce, there were 13 other |
| 45 |
announcements on it after the honeyd announcement. |
| 46 |
|
| 47 |
Marius |
| 48 |
|
| 49 |
-- |
| 50 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 51 |
|
| 52 |
In the beginning, there was nothing. And God said, 'Let there be |
| 53 |
Light.' And there was still nothing, but you could see a bit better. |
Archives