1 |
On 03/18/04 Tobias Weisserth wrote: |
2 |
|
3 |
> Hello everybody, |
4 |
> |
5 |
> There seems to be a HUGE problem with consistency in Gentoo security |
6 |
> announcements and coordination among Gentoo maintainers. |
7 |
> |
8 |
> Step by step: |
9 |
> |
10 |
> Why does it take Gentoo that long to react to security issues? |
11 |
> |
12 |
> Where can I get information about who is responsible for announcing |
13 |
> Gentoo security related issues? Is there an official Gentoo security |
14 |
> team like Debian has? Is there a single, responsible security |
15 |
> manager/director? |
16 |
|
17 |
security@g.o, I admit it's not very organized at the moment. |
18 |
|
19 |
> Why are security announcements not handled in a consistent way? Just |
20 |
> one example: There are at least three places where I have found Gentoo |
21 |
> security announcements but not a single of these announcements |
22 |
> appeared in all of these places. Rather I have to search for all of |
23 |
> those announcements across several non-related media to collect them |
24 |
> all. This is outrageous. |
25 |
|
26 |
All security announcements should be posted on the gentoo-announce |
27 |
mailing list, in the near future they'll also show up on |
28 |
http://security.gentoo.org/glsa/ |
29 |
|
30 |
> Take the latest OpenSSL issue. Aida Escriva-Sammer posted a security |
31 |
> announcement to full-disclosure. WHY CAN'T I FIND THIS SAME |
32 |
> ANNOUNCEMENT IN THE OFFICIAL GENTOO ANNOUNCEMENT LISTS?!?!?! |
33 |
|
34 |
Don't know why you can't but I see it there ... |
35 |
|
36 |
> The latest security announcement on gentoo-announce is "Honeyd remote |
37 |
> detection vulnerability" by Tim Yamin. This is just embarrassing. If |
38 |
> you look at |
39 |
> http://forums.gentoo.org/viewforum.php?f=16&sid=fbf41b023affaed791f083666ea5352b |
40 |
> you'll see that the latest announcement there is "Linux kernel |
41 |
> do_mremap local privilege escalation". HOW DO YOU EXPLAIN THESE |
42 |
> INCONSISTENT ANNOUNCEMENTS? |
43 |
|
44 |
Check your subscription to gentoo-announce, there were 13 other |
45 |
announcements on it after the honeyd announcement. |
46 |
|
47 |
Marius |
48 |
|
49 |
-- |
50 |
Public Key at http://www.genone.de/info/gpg-key.pub |
51 |
|
52 |
In the beginning, there was nothing. And God said, 'Let there be |
53 |
Light.' And there was still nothing, but you could see a bit better. |