| 1 |
On Fri, Mar 26, 2004 at 07:28:03AM -0500 or thereabouts, Ben Cressey wrote: |
| 2 |
> I don't think that suggesting that I pay for a separate vulnerability |
| 3 |
> service is an appropriate solution. It's not simply that I don't feel like |
| 4 |
> paying; it's that more so than any other distribution, Gentoo has always had |
| 5 |
> a "community" feel, at least from the user's perspective. (I gather the |
| 6 |
> developer side of things is significantly more dictatorial.) Like many of |
| 7 |
> us on this list I have contributed a lot of my time to answering questions |
| 8 |
> in the forums. |
| 9 |
|
| 10 |
I think solar was suggesting that our core competencies as a project do not |
| 11 |
include notifying the community every time a new security vulnerability is |
| 12 |
released. There are already a number of community-based resources that do |
| 13 |
just that (bugtraq, etc). We're already strapped for resources and time, |
| 14 |
so suggesting that we take on this additional responsibility is not |
| 15 |
feasible at this point in time. |
| 16 |
|
| 17 |
> So in that vein it seems there should be a community-based way of handling |
| 18 |
> security fixes. Had this vulnerability been made known two weeks ago, I |
| 19 |
> could have begun testing the unstable ebuild and submitting feedback about |
| 20 |
> it that much earlier. It is not so much the lack of a fix that concerns me, |
| 21 |
> as the lack of any significant discussion of the problem apart from |
| 22 |
> Bugzilla. |
| 23 |
|
| 24 |
This is an open list -- people are free to discuss whatever |
| 25 |
security-related issues they wish to here. |
| 26 |
|
| 27 |
> I take pains to keep my server secure. I am frustrated by the illogic of |
| 28 |
> regularly foisting annoying "minor" updates -- like the Perl 5.8.0 -> 5.8.2 |
| 29 |
> that is currently plaguing my update process, since I remember what a |
| 30 |
> colossal pain the 5.6.0 -> 5.8.0 transition was -- while at the same time |
| 31 |
> making security fixes highly inaccessible. |
| 32 |
|
| 33 |
Suggesting that we deliberately made security fixes "inaccessible" is |
| 34 |
inaccurate. We are a community-based distro and are thus highly-dependent |
| 35 |
on our community members to provide support and volunteer their time to |
| 36 |
help make Gentoo better. If enough people do not volunteer their time, |
| 37 |
things like this will happen, plain and simple. |
| 38 |
|
| 39 |
We have made efforts to recruit additional help with some success. You can |
| 40 |
also help by proactively monitoring security lists, filing bugs, creating |
| 41 |
patches, testing security-relateed ebuilds etc. If everyone sits around |
| 42 |
passively waiting for someone else to tell them there is a problem, nothing |
| 43 |
will ever get done. I'm sorry if that comes across as rude (I don't mean |
| 44 |
it that way) but I want to be explicitly clear: without your *active* |
| 45 |
participation, we will not have a robust, solid security project. ("your" |
| 46 |
refers to the entire list, btw, not just you specifically). |
| 47 |
|
| 48 |
--kurt |
Archives