From: Dale <rdalek1967@gmail.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Re: News item: GRUB security update
Date: Sat, 19 Dec 2015 12:28:25 -0600 [thread overview]
Message-ID: <5675A1C9.1030802@gmail.com> (raw)
In-Reply-To: <CAGfcS_=4tTdFEXfX-kBCJ=cBJAp0=nZ_Y6XORB8Y-YhdSXfORA@mail.gmail.com>
Rich Freeman wrote:
> On Sat, Dec 19, 2015 at 8:24 AM, Tobias Heinlein <keytoaster@gentoo.org> wrote:
>> Hi,
>>
>> On 18.12.2015 21:06, Mike Gilbert wrote:
>>> Hi, please review the news item below.
>> thanks for drafting this news item. However, the usual way to inform
>> users about security flaws is by sending a GLSA. :)
>>
>> Based on your news item, we have drafted a GLSA now. It's currently
>> pending review by one other member of the security team and we will send
>> it in a few hours.
>>
> << SNIP >>
> 2. Users probably don't regularly read GLSAs, since for the most part
> it just tells them to update packages they've probably already
> updated. How do we make ones that actually have instructions beyond
> updating stand out?
>
> I know I stopped reading GLSAs ages ago, because they tended to tell
> me to update to a package I had updated to a week before, and when
> they said something else 90% of the time it was because there was an
> error in the GLSA (usually this happened with subslots and the GLSA
> just said <n is vulnerable and the reality is that there were a number
> of ranges that were vulnerable vs fixed). Granted, I have caught one
> or two episodes over the years where the actual package might not have
> been completely addressed and an older slot needed fixing.
>
> I guess my point isn't that GLSAs are a bad thing, but users need a
> really high S/N ratio if we want them to pay attention. We need to
> separate the mundane from the important.
>
+1. Given all the changes that have been done, I don't even know how to
read them any more because I stopped a long time ago.
I might add, I also don't read blogs about this sort of thing. About
the only time I read a blog is if it is linked to here or on -user.
Other than that, rarely if ever.
All things considered, if it isn't a news item or something I follow on
this list, I may never know about it. I really depend on the news
items. Just keep the noise down or folks will start to ignore them too,
although y'all are good at it only telling us about things that affect us.
Dale
:-) :-)
prev parent reply other threads:[~2015-12-19 18:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-18 20:06 [gentoo-dev] News item: GRUB security update Mike Gilbert
2015-12-19 13:24 ` [gentoo-dev] " Tobias Heinlein
2015-12-19 13:44 ` Rich Freeman
2015-12-19 13:44 ` Kristian Fiskerstrand
2015-12-19 17:04 ` Mike Gilbert
2015-12-19 18:28 ` Dale [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5675A1C9.1030802@gmail.com \
--to=rdalek1967@gmail.com \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox