On Sat, 08 Jan 2005 12:18:22 -0600, Lance Albertson <[EMAIL PROTECTED]> wrote: > Peter Simons wrote: > > Miguel Filipe writes: > > > > > I came "sounding like an ass"? Why is that? > > > > Because you criticized the Gentoo project. It works like > > this: You bring up a security problem. In the replies you > > get, though, your actual point is flat out dismissed or > > never addressed at all. Instead, you and your behavior will > > be discussed in a very provoking manner. Once you have been > > thoroughly annoyed and insulted, you become defensive and > > lose focus of what you were trying to say in the first > > place! Thus, the discussion drifts away from the security > > problem. > > Peter, please don't start your rant again. > > > > Because I talked about a LOCAL ROOT EXPLOIT ..that isn't > > > mentioned in the GENTOO SECURITY ML because its in the > > > bugs repository? > > > > The advantage of dealing with security problems _only_ in > > the bug tracking system is that practically nobody follows > > the bug tracking system -- whereas lots of people read the > > mailing list. Thus, there is less transparency, which means > > more freedom for the Gentoo core team to deal with security > > problems in a way that doesn't interfere with internal > > politics (read: egos). > > The reason you haven't seen an email about it is because security > advisories get sent to gentoo-announce. It was decided a few years ago > to move those emails from here to there because there were a lot more > people on that list. The other reason you haven't seen any email about > this from us is because we go through a process to make sure all the > ebuilds are updated before we release an announcement (which is > documented on our site [1] ). Its not being ignored one bit, its just > not very visible unless you follow bugs.
You send the _security_ advisories to _announce_ because more people are subscribed to it? You only announce problems _after_ a fix is made??? Did it occur to any of you that people might want to disable vulnerable sevices or even *gasp* help produce fixes for the problems? We have to watch bugs.gentoo to get a total picture? I couldn't agree more with Peter, this ML is about as usefull as a bicycle is to a fish. > > > > If issues like a LOCAL ROOT EXPLOIT aren't mentioned > > > here, WHY THE HELL does this ML exist? > > > > As it happens, I have a concrete proposal how to make this > > list more useful! How about having the bug tracking system > > forward all new security-related entries to this mailing > > list automatically? This policy would (a) increase > > transparency and (b) help finding volunteers from the > > community who care enough about a problem to be willing to > > dedicate time to fixing it. Thus: less work for the Gentoo > > core team, more security for everybody. > > Add a watch on the bugs site like was previously mentioned. Perhaps that > should be better documented so people like him can follow things like that. > > > > Where is explained that those who want to follow security > > > issues that may affect thier systems should track > > > bugs.gentoo.org? > > > > I'd very much like to see an answer to this question. The > > page <http://security.gentoo.org/> doesn't seem to say > > anything about. > > See above. If this needs to be added, make a bug about it. > > [1] http://www.gentoo.org/security/en/vulnerability-policy.xml > > -Lance > > > -- > [email protected] mailing list > > -- Why are the pretty ones always insane? -- J.G. Thirlwell -- [email protected] mailing list
