Re: [gentoo-dev] Regarding long delays on GLSA generation

[Pacho Ramos <pacho@gentoo.org>]

El sáb, 18-01-2014 a las 18:26 +0100, Alex Legler escribió:
> On 18.01.2014 17:30, Pacho Ramos wrote:
> > […]
> > 
> > What I want to achieve is to try to get this problem solved, I don't
> > think has any sense to have pending GLSA bugs waiting for ages (yes,
> > ages), I see this for really a lot of packages, the pointed one was only
> > one example, but there are many more (like glib, dotnet stuff...)
> 
> Your message is profoundly lacking any proposed solutions, however it
> does contain plenty of complaining. That's not a good way to solve problems.
> 
> > 
> > Regarding sending this to the whole list (well, I don't understand why
> > people in security team want to not get gentoo-dev ML involved), I
> > simply did that as I though maybe some help/suggestions could be needed
> > taking care clearly the security team is not able to fix this situation
> > for really a long time and, hopefully, some other people could help with
> > their effort and ideas to fix this long standing issue.
> 
> Assuming that posing to -dev generates magical help or solutions is
> quite naive. You're not the first one to post here, but and you're
> certainly not the first one whose message didn't help in the slightest.
> Thanks for trying though.
> 
> As others on the list have noticed, we are working on fixing things.
> Your diagnosis of us being 'clearly' unable to do so is quite
> unsubstantiated. You should understand that we can't just make a bug
> pile gathered over years disappear in one day.
> 
> > 
> > The issue is still present even if we don't talk about it and keep
> > simply ignoring all bug reports assigned to security and accumulating
> > for years. The idea is to try to solve the situation, not to point to
> > you, I didn't pointed to you, you will know why do you feel offended
> > about this.
> > 
> > 
> 
> Noone's offended here. I'm just saying your email doesn't serve a
> purpose. If a -dev post was the solution, we'd have it by now. If you'd
> like to help in a way we actually think is useful, we'd be glad to have
> you fill one of our staffing needs posted or to engage in the
> discussions we have on the -security list and on IRC.
> 

Then, how are you finally going to fix this? Only for knowing, I still
was seeing some delays and, then, I though situation was not improved.
For example, since this year started, I have only seen 8 GLSAs filled:
http://www.gentoo.org/security/en/glsa/

Then, I thought something was still wrong as that rate didn't seem
enough to me for handling upcoming security issues and the really old
ones. Also, if you that 8 GLSAs, you will see the only one that has been
done in a fast way is the ntp one, the other 7 took months (or years) to
be handled.

Then, instead of blaming on how should I have asked for clarification on
this (well, looks like the main topic here is that I have asked about
this in ML instead of the real problem :O), I think you should focus on
explaining how are you fixing this problem. I have been long time
wondering about this because:
1. I usually get lots of bugs from alias I am a member whose we go fast
bumping, calling for stabilization and dropping vulnerable versions and,
the, the bugs get stalled.
2. Once of the machines I maintain would benefit from being able to use
glsacheck to only update vulnerable packages as not always have enough
time for updating the full world