From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C8577138247 for ; Sat, 18 Jan 2014 19:11:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 24AF1E0CA4; Sat, 18 Jan 2014 19:11:14 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 19E24E0B40 for ; Sat, 18 Jan 2014 19:11:13 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 41C3833F6E0 for ; Sat, 18 Jan 2014 19:11:12 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.358 X-Spam-Level: X-Spam-Status: No, score=-1.358 tagged_above=-999 required=5.5 tests=[AWL=-1.038, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.318, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VKXyAiP7vTe0 for ; Sat, 18 Jan 2014 19:11:06 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 51EAD33F9A8 for ; Sat, 18 Jan 2014 19:11:04 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1W4bIN-0008FC-0b for gentoo-dev@gentoo.org; Sat, 18 Jan 2014 20:11:03 +0100 Received: from ip68-231-22-224.ph.ph.cox.net ([68.231.22.224]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 18 Jan 2014 20:11:03 +0100 Received: from 1i5t5.duncan by ip68-231-22-224.ph.ph.cox.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 18 Jan 2014 20:11:03 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Duncan <1i5t5.duncan@cox.net> Subject: [gentoo-dev] Re: Regarding long delays on GLSA generation Date: Sat, 18 Jan 2014 19:10:39 +0000 (UTC) Message-ID: References: <1390059274.24148.80.camel@belkin5> <52DAA58B.7060402@gentoo.org> <1390062615.24148.87.camel@belkin5> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: ip68-231-22-224.ph.ph.cox.net User-Agent: Pan/0.140 (Chocolate Salty Balls; GIT 6daf184 /usr/src/portage/src/egit-src/pan2) X-Archives-Salt: aebab4c4-3d64-4bba-87a1-31f5f8d0295d X-Archives-Hash: 315332bb6421adff1d17aca1d38ea5c7 Dirkjan Ochtman posted on Sat, 18 Jan 2014 17:33:36 +0100 as excerpted: > On Sat, Jan 18, 2014 at 5:30 PM, Pacho Ramos wrote: >> What I want to achieve is to try to get this problem solved, I don't >> think has any sense to have pending GLSA bugs waiting for ages (yes, >> ages), I see this for really a lot of packages, the pointed one was >> only one example, but there are many more (like glib, dotnet stuff...) > > From my perception, the security team in recent months has gone through > great lengths to improve the process and to work on the backlog of old > security bugs. AIUI, this *is* getting fixed, it just takes some time to > fix it properly. Same here. I've been glad to see the GLSAs moving again, even if seeing LWN mention that it's a three-year-out (or was it five?) notice is a bit ... gulp-worthy... even if on ~arch plus hard-unmasked pre-release overlays I rarely see a GLSA that actually applies to me. (Tho I'd just done the NTP update, noting the security issue from the changelog, and was glad to see the official GLSA for it with additional detail.) Still, if it's five years out and catching up, at least we have people working on it now and it's happening! =:^) But it's good to see this thread with the details posted. There was mention that it had been discussed on dev before, but if so, I hadn't seen it, at least in that detail. So I believe it was a reasonable question, with now a reasonable answer. =:^) Thanks again. That's a vital bit of gentoo that got stuck for a bit, and I'm very appreciative that /someone/ is doing that hard and unglamorous work without a lot of thanks. =:^) -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman