Sven Beukenex wrote:
>On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <ramereth@gentoo.org> wrote:
>
>
>>Peter Simons wrote:
>>
>>
>>>Miguel Filipe writes:
>>>
>>> > I came "sounding like an ass"? Why is that?
>>>
>>>Because you criticized the Gentoo project. It works like
>>>this: You bring up a security problem. In the replies you
>>>get, though, your actual point is flat out dismissed or
>>>never addressed at all. Instead, you and your behavior will
>>>be discussed in a very provoking manner. Once you have been
>>>thoroughly annoyed and insulted, you become defensive and
>>>lose focus of what you were trying to say in the first
>>>place! Thus, the discussion drifts away from the security
>>>problem.
>>>
>>>
>>Peter, please don't start your rant again.
>>
>>
>>
>>> > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
>>> > mentioned in the GENTOO SECURITY ML because its in the
>>> > bugs repository?
>>>
>>>The advantage of dealing with security problems _only_ in
>>>the bug tracking system is that practically nobody follows
>>>the bug tracking system -- whereas lots of people read the
>>>mailing list. Thus, there is less transparency, which means
>>>more freedom for the Gentoo core team to deal with security
>>>problems in a way that doesn't interfere with internal
>>>politics (read: egos).
>>>
>>>
>>The reason you haven't seen an email about it is because security
>>advisories get sent to gentoo-announce. It was decided a few years ago
>>to move those emails from here to there because there were a lot more
>>people on that list. The other reason you haven't seen any email about
>>this from us is because we go through a process to make sure all the
>>ebuilds are updated before we release an announcement (which is
>>documented on our site [1] ). Its not being ignored one bit, its just
>>not very visible unless you follow bugs.
>>
>>
>
>You send the _security_ advisories to _announce_ because more people
>are subscribed to it?
>You only announce problems _after_ a fix is made??? Did it occur to
>any of you that people might want to disable vulnerable sevices or
>even *gasp* help produce fixes for the problems?
>We have to watch bugs.gentoo to get a total picture?
>
>I couldn't agree more with Peter, this ML is about as usefull as a
>bicycle is to a fish.
>
>
>
The absolute outrage and lack of manners here is very
disappointing. Now I would be one to agree that it's quite backwards,
but the documentation clearly states where all the GLSA's are
announced. Someone already stated that one could subscribe to
security@gentoo.org on bugzilla. Then people complain that it would be
too much traffic, filtering the crap from the actual vulnerabilities.
As if forwarding all the traffic to the list would be any better, or any
different? Either way anyone that subscribes is going to get useless
bugs that were misassigned, or already patched, or are downright bogus,
god forbid they have to sort through them all.
>>> > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
>>> > here, WHY THE HELL does this ML exist?
>>>
>>>As it happens, I have a concrete proposal how to make this
>>>list more useful! How about having the bug tracking system
>>>forward all new security-related entries to this mailing
>>>list automatically? This policy would (a) increase
>>>transparency and (b) help finding volunteers from the
>>>community who care enough about a problem to be willing to
>>>dedicate time to fixing it. Thus: less work for the Gentoo
>>>core team, more security for everybody.
>>>
>>>
>>Add a watch on the bugs site like was previously mentioned. Perhaps that
>>should be better documented so people like him can follow things like that.
>>
>>
>>
>>> > Where is explained that those who want to follow security
>>> > issues that may affect thier systems should track
>>> > bugs.gentoo.org?
>>>
>>>I'd very much like to see an answer to this question. The
>>>page <http://security.gentoo.org/> doesn't seem to say
>>>anything about.
>>>
>>>
>>See above. If this needs to be added, make a bug about it.
>>
>>[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
>>
>>-Lance
>>
>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
--
Alec Warner
Spartasoft Secretary ( spartasoft.msu.edu )
Junior Computer Science
Michigan State University
warnera6@egr.msu.edu
--
gentoo-security@gentoo.org mailing list
>On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <ramereth@gentoo.org> wrote:
>
>
>>Peter Simons wrote:
>>
>>
>>>Miguel Filipe writes:
>>>
>>> > I came "sounding like an ass"? Why is that?
>>>
>>>Because you criticized the Gentoo project. It works like
>>>this: You bring up a security problem. In the replies you
>>>get, though, your actual point is flat out dismissed or
>>>never addressed at all. Instead, you and your behavior will
>>>be discussed in a very provoking manner. Once you have been
>>>thoroughly annoyed and insulted, you become defensive and
>>>lose focus of what you were trying to say in the first
>>>place! Thus, the discussion drifts away from the security
>>>problem.
>>>
>>>
>>Peter, please don't start your rant again.
>>
>>
>>
>>> > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't
>>> > mentioned in the GENTOO SECURITY ML because its in the
>>> > bugs repository?
>>>
>>>The advantage of dealing with security problems _only_ in
>>>the bug tracking system is that practically nobody follows
>>>the bug tracking system -- whereas lots of people read the
>>>mailing list. Thus, there is less transparency, which means
>>>more freedom for the Gentoo core team to deal with security
>>>problems in a way that doesn't interfere with internal
>>>politics (read: egos).
>>>
>>>
>>The reason you haven't seen an email about it is because security
>>advisories get sent to gentoo-announce. It was decided a few years ago
>>to move those emails from here to there because there were a lot more
>>people on that list. The other reason you haven't seen any email about
>>this from us is because we go through a process to make sure all the
>>ebuilds are updated before we release an announcement (which is
>>documented on our site [1] ). Its not being ignored one bit, its just
>>not very visible unless you follow bugs.
>>
>>
>
>You send the _security_ advisories to _announce_ because more people
>are subscribed to it?
>You only announce problems _after_ a fix is made??? Did it occur to
>any of you that people might want to disable vulnerable sevices or
>even *gasp* help produce fixes for the problems?
>We have to watch bugs.gentoo to get a total picture?
>
>I couldn't agree more with Peter, this ML is about as usefull as a
>bicycle is to a fish.
>
>
>
The absolute outrage and lack of manners here is very
disappointing. Now I would be one to agree that it's quite backwards,
but the documentation clearly states where all the GLSA's are
announced. Someone already stated that one could subscribe to
security@gentoo.org on bugzilla. Then people complain that it would be
too much traffic, filtering the crap from the actual vulnerabilities.
As if forwarding all the traffic to the list would be any better, or any
different? Either way anyone that subscribes is going to get useless
bugs that were misassigned, or already patched, or are downright bogus,
god forbid they have to sort through them all.
>>> > If issues like a LOCAL ROOT EXPLOIT aren't mentioned
>>> > here, WHY THE HELL does this ML exist?
>>>
>>>As it happens, I have a concrete proposal how to make this
>>>list more useful! How about having the bug tracking system
>>>forward all new security-related entries to this mailing
>>>list automatically? This policy would (a) increase
>>>transparency and (b) help finding volunteers from the
>>>community who care enough about a problem to be willing to
>>>dedicate time to fixing it. Thus: less work for the Gentoo
>>>core team, more security for everybody.
>>>
>>>
>>Add a watch on the bugs site like was previously mentioned. Perhaps that
>>should be better documented so people like him can follow things like that.
>>
>>
>>
>>> > Where is explained that those who want to follow security
>>> > issues that may affect thier systems should track
>>> > bugs.gentoo.org?
>>>
>>>I'd very much like to see an answer to this question. The
>>>page <http://security.gentoo.org/> doesn't seem to say
>>>anything about.
>>>
>>>
>>See above. If this needs to be added, make a bug about it.
>>
>>[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
>>
>>-Lance
>>
>>
>>--
>>gentoo-security@gentoo.org mailing list
>>
>>
>>
>>
--
Alec Warner
Spartasoft Secretary ( spartasoft.msu.edu )
Junior Computer Science
Michigan State University
warnera6@egr.msu.edu
--
gentoo-security@gentoo.org mailing list