Dan Margolis writes: > Peter, this sounds, quite honestly, like you have a bit > of an issue with paranoia.
Dan, this sounds, quite honestly, like you are side-stepping my points by attacking me instead of my argument. And attacking people who argue to increase security by calling them PARANOID of all things is disappointingly uninventive at that. Maybe this little example helps illustrating why ad hominem attacks are considered logical fallacies: "Isaac Newton was a prick. If you ever read about the way he behaved, you'll see that. Therefore, force does not equal mass times acceleration." Now it's your turn to say: "You are comparing yourself to Isaac Newton now? You clearly are megalomaniac, so posting security problems to this list once they are known is not a good idea." > As for advertising security entries on this list, there > are currently 81 unclosed bugs in the security product. > The turnover rate is quite high, and the volume of mail > would clutter this list and, in my personal opinion, make > it more difficult to use this list for what it is meant > to be: security discussion. Look, this may come as a shock, but entries in the Gentoo bug tracking system actually feature all kinds of meta information, like severity, categorization of the problem, categorizations of every modification made to the bug, and whatnot else. If I am not mistaken, Bugzilla comes with an excessive array of mechanisms that allow you to configure which events are forwarded via e-mail and which ones are not. For instance: If a _new_ entry is made, the bug's description and URL to the page in bugs.gentoo.org could be forwarded to the list, but all the 200+ additional comments appended to it in the process of ebuild hackery and other administrative problems could NOT be forwarded. So the interested reader would be informed about every bug and could decide himself which ones to follow in detail through the bug tracking system and which ones to ignore. I realize text filtering techniques are still a very experimental branch of information theory research, but I thought Gentoo was the kind of bleeding-edge distribution that embraced wild and promising technologies? Where is your spirit of adventure? Why don't you use your imagination to come up with ways to improve the situation, rather than coming up with reasons why it is utterly impossible to improve the situation? > Given that infra apparently feels the same way, the > fastest solution for your personal needs might be for you > to sign up a Yahoo! group that is subscribed to security > bugs on Bugzilla. I sure could set up all kind of mailing lists and forward all kinds of stuff to it for my personal pleasure, but that doesn't really improve the utilization of _this_ list, does it? > It's not just that we don't hide info, we actually > publicise it quite well. We send GLSAs to not just our > own lists, but to a number of public lists. We publish > GLSAs in an RDF feed. The difference between advisories that are published once a bug is fixed and advisories that are published once the bug is known is subtle, I know. So by all means, keep mixing it up. It's not like anybody minds explaining the same things over and over again because you are attacking strawmans instead of the point being made. > We make Bugzilla entries available on the web, via > e-mail, and even in iCal format (pretty slick, eh?). I am impressed. All these people who have been wondering why an exploit that allows local users to gain superuser privileges hasn't been published on this mailing list although it was known and reported to Gentoo should probably install iCal, and then little disappointments like that would be a thing of the past. Frankly, ridiculing your points is so damn easy it's not even fun. The little gremlin on my shoulder thinks you are doing that on purpose to annoy me. I just hope he is wrong! Wait a second. There's someone at the door ... -- [email protected] mailing list
