1 |
On Fri, Mar 26, 2004 at 07:28:03AM -0500 or thereabouts, Ben Cressey wrote: |
2 |
> I don't think that suggesting that I pay for a separate vulnerability |
3 |
> service is an appropriate solution. It's not simply that I don't feel like |
4 |
> paying; it's that more so than any other distribution, Gentoo has always had |
5 |
> a "community" feel, at least from the user's perspective. (I gather the |
6 |
> developer side of things is significantly more dictatorial.) Like many of |
7 |
> us on this list I have contributed a lot of my time to answering questions |
8 |
> in the forums. |
9 |
|
10 |
I think solar was suggesting that our core competencies as a project do not |
11 |
include notifying the community every time a new security vulnerability is |
12 |
released. There are already a number of community-based resources that do |
13 |
just that (bugtraq, etc). We're already strapped for resources and time, |
14 |
so suggesting that we take on this additional responsibility is not |
15 |
feasible at this point in time. |
16 |
|
17 |
> So in that vein it seems there should be a community-based way of handling |
18 |
> security fixes. Had this vulnerability been made known two weeks ago, I |
19 |
> could have begun testing the unstable ebuild and submitting feedback about |
20 |
> it that much earlier. It is not so much the lack of a fix that concerns me, |
21 |
> as the lack of any significant discussion of the problem apart from |
22 |
> Bugzilla. |
23 |
|
24 |
This is an open list -- people are free to discuss whatever |
25 |
security-related issues they wish to here. |
26 |
|
27 |
> I take pains to keep my server secure. I am frustrated by the illogic of |
28 |
> regularly foisting annoying "minor" updates -- like the Perl 5.8.0 -> 5.8.2 |
29 |
> that is currently plaguing my update process, since I remember what a |
30 |
> colossal pain the 5.6.0 -> 5.8.0 transition was -- while at the same time |
31 |
> making security fixes highly inaccessible. |
32 |
|
33 |
Suggesting that we deliberately made security fixes "inaccessible" is |
34 |
inaccurate. We are a community-based distro and are thus highly-dependent |
35 |
on our community members to provide support and volunteer their time to |
36 |
help make Gentoo better. If enough people do not volunteer their time, |
37 |
things like this will happen, plain and simple. |
38 |
|
39 |
We have made efforts to recruit additional help with some success. You can |
40 |
also help by proactively monitoring security lists, filing bugs, creating |
41 |
patches, testing security-relateed ebuilds etc. If everyone sits around |
42 |
passively waiting for someone else to tell them there is a problem, nothing |
43 |
will ever get done. I'm sorry if that comes across as rude (I don't mean |
44 |
it that way) but I want to be explicitly clear: without your *active* |
45 |
participation, we will not have a robust, solid security project. ("your" |
46 |
refers to the entire list, btw, not just you specifically). |
47 |
|
48 |
--kurt |