Miguel Filipe writes:
> I came "sounding like an ass"? Why is that?
Because you criticized the Gentoo project. It works like
this: You bring up a security problem. In the replies you
get, though, your actual point is flat out dismissed or
never addressed at all. Instead, you and your behavior will
be discussed in a very provoking manner. Once you have been
thoroughly annoyed and insulted, you become defensive and
lose focus of what you were trying to say in the first
place! Thus, the discussion drifts away from the security
problem.
> Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
> mentioned in the GENTOO SECURITY ML because its in the
> bugs repository?
The advantage of dealing with security problems _only_ in
the bug tracking system is that practically nobody follows
the bug tracking system -- whereas lots of people read the
mailing list. Thus, there is less transparency, which means
more freedom for the Gentoo core team to deal with security
problems in a way that doesn't interfere with internal
politics (read: egos).
> If issues like a LOCAL ROOT EXPLOIT aren't mentioned
> here, WHY THE HELL does this ML exist?
As it happens, I have a concrete proposal how to make this
list more useful! How about having the bug tracking system
forward all new security-related entries to this mailing
list automatically? This policy would (a) increase
transparency and (b) help finding volunteers from the
community who care enough about a problem to be willing to
dedicate time to fixing it. Thus: less work for the Gentoo
core team, more security for everybody.
> Where is explained that those who want to follow security
> issues that may affect thier systems should track
> bugs.gentoo.org?
I'd very much like to see an answer to this question. The
page <
http://security.gentoo.org/> doesn't seem to say
anything about.
Peter
--
gentoo-security@gentoo.org mailing list