On Mon, Jan 26, 2015 at 8:21 AM, Duncan <1i5t5.dun...@cox.net> wrote: > The result of the current policy is that if you're waiting for the GLSA, > unless it's _extreme_ priority (heartbleed level), on at least amd64, > you're very often sitting there exposed for well over a week, and too > often a month, after the fix is out there, actually installed on /my/ > systems. And to me that's a game of Russian Roulette odds that I'm > simply not willing to play.
Agree. Honestly, I think we should really reconsider the current GLSA policy. I half-consider unsubscribing to them since they often come out weeks after a vulnerability is fixed on amd64, let alone discovered. If you're relying on glsa-check as the indicator as to whether you should update, then you're probably going to be vulnerable for weeks. I wonder if it would make sense to just send them out on first-fix, or even on stablereq. The main reason that I'd hold off on sending them out at first sign of vulnerability is that information on what versions are/aren't vulnerable is going to be hazy, and it won't have clear instructions on what to do. You might end up picking the wrong version to update to and then find yourself having to update again or downgrading or running ~arch because the package maintainer decided to do something different. By the time you have a stablereq things have settled down - maybe if a bug is found on another arch you might end up with a revbump, but that is going to be minor impact and anybody doing daily updates is going to get hit by that anyway. >From a PR standpoint we'll be communicating to some users that they are vulnerable, and we haven't completely fixed the issue yet. I think we just need to reset expectations here. The fact is that today they're just as vulnerable, but we don't broadcast that. Sending out notice sooner will help out users who want to update based on GLSAs, and if there isn't a stable version yet the user can decide whether to just wait for testing or move ahead on their own. It just seems to me that the current approach of sending out GLSAs a month after the fix is available for 98% of our users makes them fairly unuseful. -- Rich