Gentoo Archives: gentoo-security

From: Tobias Heinlein <keytoaster@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] No GLSA since January?!?
Date: Sat, 27 Aug 2011 13:35:56
In Reply to: Re: [gentoo-security] No GLSA since January?!? by Rich Freeman
1 Rich Freeman wrote, on 08/27/2011 03:06 PM:
2 > However, that isn't really what we're discussing here. What we're
3 > talking about is GLSAs vs no GLSAs. Working automated GLSAs
4 > apparently don't exist right now. It is wonderful that a bunch of
5 > people are looking to change that, however it doesn't really change
6 > the fact that we're not sending out GLSAs, and that makes it hard for
7 > people to take Gentoo seriously as a distro.
9 Yes, we are aware of that. We know it's very unfortunate, but just
10 *stating* it doesn't get us more manpower.
12 > If the new tool were
13 > just a few weeks away then a few posts to -dev/-security updating
14 > status would probably alleviate concerns. However, I think that
15 > people have been talking about fixing the GLSA tool for ages now.
17 We currently believe the tool *is* just a few weeks away; we plan to
18 meet in person at the end of September. But I don't want to promise
19 anything as real life may get in the way anytime.
21 > I think the fundamental problem is failing to distinguish between
22 > operations and improvements. You can't put the former on hold to work
23 > on the latter.
25 Sure, but that is not the case. It's still possible to use the old
26 GLSAmaker and send out advisories; the problem is manpower. No-one
27 currently wants to do the work with the old tool (And no, editing XML
28 files manually won't motivate people either).
30 > When resource constraints hit a volunteer project, the solution is
31 > usually to create a more distributed solution.
33 That's similar to the bug wrangling situation a while ago. The queue was
34 huge and everyone knew we needed more people to wrangle the bugs. But
35 how many people actually did that for more than a few? Not even a handful.
37 Having maintainers "care" about security just won't work out. That's why
38 the security team exists in the first place.