simons at cryp
Jan 8, 2005, 11:45 AM
Post #24 of 65
Lance Albertson writes:
Re: local root exploit for linux 2.4 and linux 2.6.
[In reply to]
>> It works like this: You bring up a security problem. In
>> the replies you get, though, your actual point is flat
>> out dismissed or never addressed at all. Instead, you
>> and your behavior will be discussed in a very provoking
>> manner. Once you have been thoroughly annoyed and
>> insulted, you become defensive and lose focus of what
>> you were trying to say in the first place! Thus, the
>> discussion drifts away from the security problem.
> Peter, please don't start your rant again.
Quod erat demonstrandum.
> The reason you haven't seen an email about it is because
> security advisories get sent to gentoo-announce. [...]
I am aware of that. However, I don't see how this relates to
the proposal of sending newly reported security problems to
_this_ list instead.
> It was decided a few years ago to move those emails from
> here to there because there were a lot more people on
> that list.
I think you are mixing up two different things, Lance. These
advisories you are talking about are issued when problems
are _fixed_ in Gentoo. We were talking about being advised
about problems once they are _known_. As you may recall,
there's occasionally a significant amount of time between
these two points.
> [A security problem is] not being ignored one bit, its
> just not very visible unless you follow bugs.
Exactly. Since hardly anybody follows the bugs, this means
that security problems are practically invisible to most
users until they are fixed in Gentoo, which, as you may
recall, takes a significant amount of time on the occasion.
To remedy this situation, I'd like to make the following
| How about having the bug tracking system forward all new
| security-related entries to this mailing list
| automatically? This policy would (a) increase
| transparency and (b) help finding volunteers from the
| community who care enough about a problem to be willing
| to dedicate time to fixing it. Thus: less work for the
| Gentoo core team, more security for everybody.
If you look closely, you'll find that I originally said that
in the very e-mail you are replying to. Curious that you
didn't address that part at all, isn't it?
> Add a watch on the bugs site like was previously mentioned.
> Perhaps that should be better documented so people like him
> can follow things like that.
Perhaps it would be simpler to post the security related
problems to this mailing list instead, so that "people like
him" don't need to configure watches on the bug tracking
system in order to learn about them?
gentoo-security [at] gentoo mailing list