| 1 |
On Friday, March 26, 2004 at 6:48 , Ned Ludd wrote: |
| 2 |
|
| 3 |
> Yeah.. We don't provide a vulnerability announcement/assessment service. |
| 4 |
> We provide updates when they exist. If you would like a vulnerability |
| 5 |
> announcement service then you should pay. Or simply track the |
| 6 |
> security@g.o via bugzilla as most us do. |
| 7 |
|
| 8 |
I don't think that suggesting that I pay for a separate vulnerability |
| 9 |
service is an appropriate solution. It's not simply that I don't feel like |
| 10 |
paying; it's that more so than any other distribution, Gentoo has always had |
| 11 |
a "community" feel, at least from the user's perspective. (I gather the |
| 12 |
developer side of things is significantly more dictatorial.) Like many of |
| 13 |
us on this list I have contributed a lot of my time to answering questions |
| 14 |
in the forums. |
| 15 |
|
| 16 |
So in that vein it seems there should be a community-based way of handling |
| 17 |
security fixes. Had this vulnerability been made known two weeks ago, I |
| 18 |
could have begun testing the unstable ebuild and submitting feedback about |
| 19 |
it that much earlier. It is not so much the lack of a fix that concerns me, |
| 20 |
as the lack of any significant discussion of the problem apart from |
| 21 |
Bugzilla. |
| 22 |
|
| 23 |
I take pains to keep my server secure. I am frustrated by the illogic of |
| 24 |
regularly foisting annoying "minor" updates -- like the Perl 5.8.0 -> 5.8.2 |
| 25 |
that is currently plaguing my update process, since I remember what a |
| 26 |
colossal pain the 5.6.0 -> 5.8.0 transition was -- while at the same time |
| 27 |
making security fixes highly inaccessible. |
| 28 |
|
| 29 |
(Sure, delete the perfectly functional perl 5.8.0 ebuilds, but leave the |
| 30 |
vulnerable courier-imap one in portage. This is the worst of both worlds, |
| 31 |
in my opinion.) |
| 32 |
|
| 33 |
This is the first time I've seen the suggestion to track security@g.o |
| 34 |
via Bugzilla. I will do so in the future. |
| 35 |
|
| 36 |
Ben |
| 37 |
|
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-security@g.o mailing list |
Archives