1 |
On Friday, March 26, 2004 at 6:48 , Ned Ludd wrote: |
2 |
|
3 |
> Yeah.. We don't provide a vulnerability announcement/assessment service. |
4 |
> We provide updates when they exist. If you would like a vulnerability |
5 |
> announcement service then you should pay. Or simply track the |
6 |
> security@g.o via bugzilla as most us do. |
7 |
|
8 |
I don't think that suggesting that I pay for a separate vulnerability |
9 |
service is an appropriate solution. It's not simply that I don't feel like |
10 |
paying; it's that more so than any other distribution, Gentoo has always had |
11 |
a "community" feel, at least from the user's perspective. (I gather the |
12 |
developer side of things is significantly more dictatorial.) Like many of |
13 |
us on this list I have contributed a lot of my time to answering questions |
14 |
in the forums. |
15 |
|
16 |
So in that vein it seems there should be a community-based way of handling |
17 |
security fixes. Had this vulnerability been made known two weeks ago, I |
18 |
could have begun testing the unstable ebuild and submitting feedback about |
19 |
it that much earlier. It is not so much the lack of a fix that concerns me, |
20 |
as the lack of any significant discussion of the problem apart from |
21 |
Bugzilla. |
22 |
|
23 |
I take pains to keep my server secure. I am frustrated by the illogic of |
24 |
regularly foisting annoying "minor" updates -- like the Perl 5.8.0 -> 5.8.2 |
25 |
that is currently plaguing my update process, since I remember what a |
26 |
colossal pain the 5.6.0 -> 5.8.0 transition was -- while at the same time |
27 |
making security fixes highly inaccessible. |
28 |
|
29 |
(Sure, delete the perfectly functional perl 5.8.0 ebuilds, but leave the |
30 |
vulnerable courier-imap one in portage. This is the worst of both worlds, |
31 |
in my opinion.) |
32 |
|
33 |
This is the first time I've seen the suggestion to track security@g.o |
34 |
via Bugzilla. I will do so in the future. |
35 |
|
36 |
Ben |
37 |
|
38 |
|
39 |
-- |
40 |
gentoo-security@g.o mailing list |