Lance Albertson writes: >> It works like this: You bring up a security problem. In >> the replies you get, though, your actual point is flat >> out dismissed or never addressed at all. Instead, you >> and your behavior will be discussed in a very provoking >> manner. Once you have been thoroughly annoyed and >> insulted, you become defensive and lose focus of what >> you were trying to say in the first place! Thus, the >> discussion drifts away from the security problem.
> Peter, please don't start your rant again. Quod erat demonstrandum. > The reason you haven't seen an email about it is because > security advisories get sent to gentoo-announce. [...] I am aware of that. However, I don't see how this relates to the proposal of sending newly reported security problems to _this_ list instead. > It was decided a few years ago to move those emails from > here to there because there were a lot more people on > that list. I think you are mixing up two different things, Lance. These advisories you are talking about are issued when problems are _fixed_ in Gentoo. We were talking about being advised about problems once they are _known_. As you may recall, there's occasionally a significant amount of time between these two points. > [A security problem is] not being ignored one bit, its > just not very visible unless you follow bugs. Exactly. Since hardly anybody follows the bugs, this means that security problems are practically invisible to most users until they are fixed in Gentoo, which, as you may recall, takes a significant amount of time on the occasion. To remedy this situation, I'd like to make the following proposal: | How about having the bug tracking system forward all new | security-related entries to this mailing list | automatically? This policy would (a) increase | transparency and (b) help finding volunteers from the | community who care enough about a problem to be willing | to dedicate time to fixing it. Thus: less work for the | Gentoo core team, more security for everybody. If you look closely, you'll find that I originally said that in the very e-mail you are replying to. Curious that you didn't address that part at all, isn't it? > Add a watch on the bugs site like was previously mentioned. > Perhaps that should be better documented so people like him > can follow things like that. Perhaps it would be simpler to post the security related problems to this mailing list instead, so that "people like him" don't need to configure watches on the bug tracking system in order to learn about them? Peter -- [email protected] mailing list
