El sáb, 18-01-2014 a las 18:26 +0100, Alex Legler escribió: > On 18.01.2014 17:30, Pacho Ramos wrote: > > […] > > > > What I want to achieve is to try to get this problem solved, I don't > > think has any sense to have pending GLSA bugs waiting for ages (yes, > > ages), I see this for really a lot of packages, the pointed one was only > > one example, but there are many more (like glib, dotnet stuff...) > > Your message is profoundly lacking any proposed solutions, however it > does contain plenty of complaining. That's not a good way to solve problems. > > > > > Regarding sending this to the whole list (well, I don't understand why > > people in security team want to not get gentoo-dev ML involved), I > > simply did that as I though maybe some help/suggestions could be needed > > taking care clearly the security team is not able to fix this situation > > for really a long time and, hopefully, some other people could help with > > their effort and ideas to fix this long standing issue. > > Assuming that posing to -dev generates magical help or solutions is > quite naive. You're not the first one to post here, but and you're > certainly not the first one whose message didn't help in the slightest. > Thanks for trying though. > > As others on the list have noticed, we are working on fixing things. > Your diagnosis of us being 'clearly' unable to do so is quite > unsubstantiated. You should understand that we can't just make a bug > pile gathered over years disappear in one day. > > > > > The issue is still present even if we don't talk about it and keep > > simply ignoring all bug reports assigned to security and accumulating > > for years. The idea is to try to solve the situation, not to point to > > you, I didn't pointed to you, you will know why do you feel offended > > about this. > > > > > > Noone's offended here. I'm just saying your email doesn't serve a > purpose. If a -dev post was the solution, we'd have it by now. If you'd > like to help in a way we actually think is useful, we'd be glad to have > you fill one of our staffing needs posted or to engage in the > discussions we have on the -security list and on IRC. >
Then, how are you finally going to fix this? Only for knowing, I still was seeing some delays and, then, I though situation was not improved. For example, since this year started, I have only seen 8 GLSAs filled: http://www.gentoo.org/security/en/glsa/ Then, I thought something was still wrong as that rate didn't seem enough to me for handling upcoming security issues and the really old ones. Also, if you that 8 GLSAs, you will see the only one that has been done in a fast way is the ntp one, the other 7 took months (or years) to be handled. Then, instead of blaming on how should I have asked for clarification on this (well, looks like the main topic here is that I have asked about this in ML instead of the real problem :O), I think you should focus on explaining how are you fixing this problem. I have been long time wondering about this because: 1. I usually get lots of bugs from alias I am a member whose we go fast bumping, calling for stabilization and dropping vulnerable versions and, the, the bugs get stalled. 2. Once of the machines I maintain would benefit from being able to use glsacheck to only update vulnerable packages as not always have enough time for updating the full world