From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <gentoo-dev+bounces-64456-garchives=archives.gentoo.org@lists.gentoo.org> Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 16F96138247 for <garchives@archives.gentoo.org>; Sat, 18 Jan 2014 17:39:02 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6F8BCE0B18; Sat, 18 Jan 2014 17:38:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8114FE0B0D for <gentoo-dev@lists.gentoo.org>; Sat, 18 Jan 2014 17:38:55 +0000 (UTC) Received: from [192.168.1.33] (182.Red-2-137-18.dynamicIP.rima-tde.net [2.137.18.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pacho) by smtp.gentoo.org (Postfix) with ESMTPSA id E090233F960; Sat, 18 Jan 2014 17:38:53 +0000 (UTC) Message-ID: <1390066729.24148.98.camel@belkin5> Subject: Re: [gentoo-dev] Regarding long delays on GLSA generation From: Pacho Ramos <pacho@gentoo.org> To: gentoo-dev@lists.gentoo.org Cc: security@gentoo.org Date: Sat, 18 Jan 2014 18:38:49 +0100 In-Reply-To: <52DAB93F.50706@gentoo.org> References: <1390059274.24148.80.camel@belkin5> <52DAA58B.7060402@gentoo.org> <1390062615.24148.87.camel@belkin5> <52DAB93F.50706@gentoo.org> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.8.5 Precedence: bulk List-Post: <mailto:gentoo-dev@lists.gentoo.org> List-Help: <mailto:gentoo-dev+help@lists.gentoo.org> List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org> List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org> List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org> X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-Archives-Salt: 08ba7add-cf78-413b-a4cd-22ec094d2804 X-Archives-Hash: 9b4d14ea729735925f4c84701339603e El sáb, 18-01-2014 a las 18:26 +0100, Alex Legler escribió: > On 18.01.2014 17:30, Pacho Ramos wrote: > > […] > > > > What I want to achieve is to try to get this problem solved, I don't > > think has any sense to have pending GLSA bugs waiting for ages (yes, > > ages), I see this for really a lot of packages, the pointed one was only > > one example, but there are many more (like glib, dotnet stuff...) > > Your message is profoundly lacking any proposed solutions, however it > does contain plenty of complaining. That's not a good way to solve problems. > > > > > Regarding sending this to the whole list (well, I don't understand why > > people in security team want to not get gentoo-dev ML involved), I > > simply did that as I though maybe some help/suggestions could be needed > > taking care clearly the security team is not able to fix this situation > > for really a long time and, hopefully, some other people could help with > > their effort and ideas to fix this long standing issue. > > Assuming that posing to -dev generates magical help or solutions is > quite naive. You're not the first one to post here, but and you're > certainly not the first one whose message didn't help in the slightest. > Thanks for trying though. > > As others on the list have noticed, we are working on fixing things. > Your diagnosis of us being 'clearly' unable to do so is quite > unsubstantiated. You should understand that we can't just make a bug > pile gathered over years disappear in one day. > > > > > The issue is still present even if we don't talk about it and keep > > simply ignoring all bug reports assigned to security and accumulating > > for years. The idea is to try to solve the situation, not to point to > > you, I didn't pointed to you, you will know why do you feel offended > > about this. > > > > > > Noone's offended here. I'm just saying your email doesn't serve a > purpose. If a -dev post was the solution, we'd have it by now. If you'd > like to help in a way we actually think is useful, we'd be glad to have > you fill one of our staffing needs posted or to engage in the > discussions we have on the -security list and on IRC. > Then, how are you finally going to fix this? Only for knowing, I still was seeing some delays and, then, I though situation was not improved. For example, since this year started, I have only seen 8 GLSAs filled: http://www.gentoo.org/security/en/glsa/ Then, I thought something was still wrong as that rate didn't seem enough to me for handling upcoming security issues and the really old ones. Also, if you that 8 GLSAs, you will see the only one that has been done in a fast way is the ntp one, the other 7 took months (or years) to be handled. Then, instead of blaming on how should I have asked for clarification on this (well, looks like the main topic here is that I have asked about this in ML instead of the real problem :O), I think you should focus on explaining how are you fixing this problem. I have been long time wondering about this because: 1. I usually get lots of bugs from alias I am a member whose we go fast bumping, calling for stabilization and dropping vulnerable versions and, the, the bugs get stalled. 2. Once of the machines I maintain would benefit from being able to use glsacheck to only update vulnerable packages as not always have enough time for updating the full world