Christoph Anton Mitterer <cales...@scientia.net> writes: > Even apart from the above problems, I doubt that mail is the appropriate > mean for many admins to get notified about security upgrades.
If you don't read the mail, you're going to miss some really vital information, like packages that we are no longer supporting. I am very much opposed to giving people the impression they can just monitor the security archive and not read the DSAs. > To be honest, it's really awkward to see how much all this is apparently > fought against. I don't think people are fighting against you. I think people are unconvinced that all of the machinery that you want to put in place is worth it for some pretty marginal and esoteric security gains compared to all the other things that they could be working on. And, on top of that, you argue for them by writing encyclopedic tomes that are kind of hard to digest. Also, most of the people responding to you are not people who have the power to implement the changes you want. I don't know that you're going to like this advice, and I know it's kind of unsatisfying, but you keep picking up causes that are structured so as to require people other than you to go do work. Can you find a solution to one of these security issues that you see that you can just fix yourself? Like, in this case, a better tool for monitoring security status of packages? There is *way* more to be done in Debian than we can ever possibly accomplish, particularly in the security arena. People are prioritizing. You get to pick your own priorities, but so does everyone else. Your priorities aren't in line with the people who have to make the changes you want to see. That's super frustrating, but that doesn't mean they're obligated to change their priorities. There are limited hours in the day; some very good ideas are not going to get done. If you are getting frustrated by being blocked on other people... work on things that don't block on other people. After you do some of that, you'll often find that other people are more willing to jump into shared projects with you. >> I've run such production system clusters for many years now, and the >> machinery and tools that you need to have in place to ensure that you >> actually pushed out the security update to all systems will also >> trivially catch downgrade attacks of the type that you're describing. > I really wonder how you can do that with the above means. I read the mailing list. In practice, it works fine. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/87a94ecfh1....@hope.eyrie.org
