Mailing List Archive

About this list's purpose (AGAIN ;-)
Hi,
first, let me state in public, that I don't like this kind of meta-
discussion at all, but it seems necessary if this list is to serve
any defined purpose besides flame fests.

My point of view is, that Bugzilla and this mailing list serve different
purposes.

The discussion in Bugzilla should focus on getting issues fixed as fast
and as good as possible for _all users_ of Gentoo. Anything else would
make Bugzilla harder to use, for developers and users alike.

This mailing list should allow users and administrators to assess bugs,
to determine the impact on their specific setups and to find out which
workarounds (if any) are advisable. This is necessary, because proper
fixes take some time (this is unavoidable), but many people cannot afford
delay. Just imagine someone administrating true multi-user workstations
at a university. He could either bug developers with his questions in
Bugzilla, or simply come here to find people in a similar situation.

An additional purpose of this list is, of course, general discussion of
security issues unrelated to vulnerabilities (setup issues, help with
implementation, advice, ...)

This does mean, that Gentoo devs do *not* have to post announcements to
this list. They can do that, of course, but in the end it is up to the
users.

So, users should not complain if a vulnerability they deem important is
not posted here, instead they should simply post it themselves. Developers
can then join the discussion *about the vulnerability itself* or simply
ignore it.
Of course they can (actually should) post a link to the coresponding entry
in Bugzilla, or encourage users to file a bug if this hasn't been done
already.

IMO its a shame if a discussion about a severe vulnerability which affects
*everyone* one this list ends up in a flamewar (or even starts as one).

Regards



--
gentoo-security@gentoo.org mailing list
Re: About this list's purpose (AGAIN ;-) [ In reply to ]
On Sun, 9 Jan 2005 16:02:15 +0100, Marc Ballarin <Ballarin.Marc@gmx.de> wrote:
...
> IMO its a shame if a discussion about a severe vulnerability which affects
> *everyone* one this list ends up in a flamewar (or even starts as one).
>

Has any thought been given to moderation?  This might help (seems to work well
for bugtraq), but obviously would require work from someone.


Chris

--
gentoo-security@gentoo.org mailing list
Re: About this list's purpose (AGAIN ;-) [ In reply to ]
On Sun, Jan 09, 2005 at 12:03:53PM -0400, Chris L. Mason wrote:
> Has any thought been given to moderation? ?This might help (seems to work well
> for bugtraq), but obviously would require work from someone.

I suspect it'd be hard to find anyone willing to take the job. To be
honest, it's probably not worth the amount of time it takes; the
Security Team is pretty much overloaded as is. Anyway, were we to do
that, it would only add to the conspiracy theories about how Gentoo is
trying to keep secret public disclosure of vulnerabilities. ;)

--
Dan Margolis
Gentoo Security/Audit
Re: About this list's purpose (AGAIN ;-) [ In reply to ]
On Sun, 9 Jan 2005 16:02:15 +0100
Marc Ballarin <Ballarin.Marc@gmx.de> wrote:

> Hi,
> first, let me state in public, that I don't like this kind of meta-
> discussion at all, but it seems necessary if this list is to serve
> any defined purpose besides flame fests.
>
> My point of view is, that Bugzilla and this mailing list serve
> different purposes.
>
> The discussion in Bugzilla should focus on getting issues fixed as
> fast and as good as possible for _all users_ of Gentoo. Anything else
> would make Bugzilla harder to use, for developers and users alike.
>
> This mailing list should allow users and administrators to assess
> bugs, to determine the impact on their specific setups and to find out
> which workarounds (if any) are advisable. This is necessary, because
> proper fixes take some time (this is unavoidable), but many people
> cannot afford delay. Just imagine someone administrating true
> multi-user workstations at a university. He could either bug
> developers with his questions in Bugzilla, or simply come here to find
> people in a similar situation.

Sigh, after reading through this "discussion" again, I'm for dissolving
this list entirely and replace it by at least two new lists. The idea
was already posted by Cameron Blackwood, so I'll just quote it here:

> Maybe rather than another round of 'discussion' about people
> we should discuss the creation of:
>
> gentoo-security-discussion@
> gentoo-security-announce@
> gentoo-security-resolved@
>
> or atleast this new list that it seems a few people would be
> interested in.

Personally I don't think there is a real need for the -resolved list as
that's already the purpose of gentoo-announce@ and I'd rename
gentoo-security-announce@ to -unresolved or something like that and just
relay new security bug mails there.

Marius

--
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.
Re: About this list's purpose (AGAIN ;-) [ In reply to ]
Marius Mauch <genone@gentoo.org> wrote:
> Sigh, after reading through this "discussion" again, I'm for dissolving
> this list entirely and replace it by at least two new lists.

There's nothing wrong with this list.

It is reasonable to have this list not be about reporting bugs, but it
is just as reasonable to expect that people will sometimes mention
bugs here. That's the same as the case where a program, like a
standard C compiler, is required to accept "non-conforming" input.

--
Barry.Schwartz@chemoelectric.org http://www.chemoelectric.org
"I have directed that in the future I sign each letter." -- Rumsfeld