From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Qx04A-00057B-Aw for garchives@archives.gentoo.org; Fri, 26 Aug 2011 17:19:38 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E235B21C2D1; Fri, 26 Aug 2011 17:19:27 +0000 (UTC) Received: from mail-yw0-f53.google.com (mail-yw0-f53.google.com [209.85.213.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 3D00721C030 for ; Fri, 26 Aug 2011 17:18:20 +0000 (UTC) Received: by ywb5 with SMTP id 5so4076611ywb.40 for ; Fri, 26 Aug 2011 10:18:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=LzwYNhyd9RjYIPI/s4SN7HPqOiAk+YPm+VwQRQk2bOE=; b=vkRNPydCg5LbT0jPavJ9/adIHRr6qhMg1YMRb4hrwwCzFAcZrNQ59Ji8g4UkiD5L3A WQTe+XeznoiFIkidI80Ccdcp1iKVR1lwXC20mNxUw+m5dSFli9Qa7Ojkt1VSL6KbeaUV wcsfYaNMlvsyQENFdk9aktE14BHgYs1p3Z6yw= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Received: by 10.236.146.65 with SMTP id q41mr8272394yhj.84.1314379100688; Fri, 26 Aug 2011 10:18:20 -0700 (PDT) Received: by 10.147.35.4 with HTTP; Fri, 26 Aug 2011 10:18:20 -0700 (PDT) In-Reply-To: References: <4E57C5D0.8090004@gocept.com> <5997A2E4-E1E7-4314-A617-5F9627C5C5BA@gmx.net> Date: Fri, 26 Aug 2011 14:18:20 -0300 Message-ID: Subject: Re: [gentoo-security] No GLSA since January?!? From: "Daniel A. Avelino" To: gentoo-security@lists.gentoo.org Content-Type: multipart/alternative; boundary=20cf303a2bc56592a904ab6bbbf9 X-Archives-Salt: X-Archives-Hash: b4ca54afeb3e2dffff1b83b1431925aa --20cf303a2bc56592a904ab6bbbf9 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Alex. May be a call for volunteers more "intense" could improve the manpower. Thi= s could be a more easy start point to address, no?. I work too in some [smaller] security processes and can figure out what kin= d of work are you talking about. As Kauhaus pointed, may be somethings should be automated but again, this i= s a hard job to implement and to keep results trustable. I'd started following this list recently and yet does not know how work fluxes are performed here but, may be, this could be a good place to start a review of GLSA processes, what do you think about this? Regards, Daniel A. Avelino I thought its time On Fri, Aug 26, 2011 at 1:57 PM, JD Horelick wrote: > On 26 August 2011 12:43, Christoph Jasinski wrote: > > Dear Christian > > > > Everything is secure. No reason to write GLSAs or to panic. ;) > > > > > > Chris > > > > Am 26.08.2011 um 18:12 schrieb Christian Kauhaus: > > > >> Hi, > >> > >> I'm wondering that may favorite Linux distro hasn't had any security > announcements since January. In my opinion this is really problematic. At > our company we try to convince prospective customers to host their > applications on our Gentoo servers. When asked about security incident > handling, I have to say: "They state 'Security is a primary focus' on the= ir > website, but they don't inform their users." Not very convincing. > >> > >> So what is the roadblock that hinders GLSA creation? Is there any way = to > get the GLSAs into working order again? > >> > >> Regards > >> > >> Christian > >> > >> -- > >> Dipl.-Inf. Christian Kauhaus <>< =B7 kc@gocept.com =B7 systems > administration > >> gocept gmbh & co. kg =B7 forsterstra=DFe 29 =B7 06112 halle (saale) = =B7 germany > >> http://gocept.com =B7 tel +49 345 1229889 11 =B7 fax +49 345 1229889 1 > >> Zope and Plone consulting and development > >> > > > > > > > > I'm sorry, but I disagree with that. I've been an (unofficial) x86 > Archtester for only 2 weeks or so and since then, i've seen more than > a few stabilizations needed to address security issues. Also, i've > noticed this same problem of not seeing many/any GLSA's in recent > history. As an example, in the past month, Debian has had 13 security > advisories. I personally doubt that we (Gentoo) don't have to worry > about ANY of those 13 advisories... > > --20cf303a2bc56592a904ab6bbbf9 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Alex.

May be a call for volunteers more "intense" could im= prove the manpower. This could be a more
easy start point to address, no= ?.
I work too in some [smaller] security processes and can figure out wh= at kind of work are you talking about.

As Kauhaus pointed, may be somethings should be automated but again, th= is is a hard job to
implement and to keep results trustable.

I&= #39;d started following this list recently and yet does not know how
work fluxes are performed here but, may be, this could be a good place to s= tart a review of GLSA processes, what
do you think about this?

Regards,


Daniel A. Avelino

I thought its time

On Fri, Aug 26, 2011 at 1:57 PM, JD Horelick <jdhore1@gmail.com> wrote:
On 26 August 2011 12:43, Christoph Jasins= ki <Krzysiek@gmx.net> wrote:<= br> > Dear Christian
>
> Everything is secure. No reason to write GLSAs or to panic. ;)
>
>
> Chris
>
> Am 26.08.2011 um 18:12 schrieb Christian Kauhaus:
>
>> Hi,
>>
>> I'm wondering that may favorite Linux distro hasn't had an= y security announcements since January. In my opinion this is really proble= matic. At our company we try to convince prospective customers to host thei= r applications on our Gentoo servers. When asked about security incident ha= ndling, I have to say: "They state 'Security is a primary focus= 9; on their website, but they don't inform their users." Not very = convincing.
>>
>> So what is the roadblock that hinders GLSA creation? Is there any = way to get the GLSAs into working order again?
>>
>> Regards
>>
>> Christian
>>
>> --
>> Dipl.-Inf. Christian Kauhaus <>< =B7 kc@gocept.com =B7 systems administration
>> gocept gmbh & co. kg =B7 forsterstra=DFe 29 =B7 06112 halle (s= aale) =B7 germany
>> http://gocept.com<= /a> =B7 tel +49 345 1229889 11 =B7 fax +49 345 1229889 1
>> Zope and Plone consulting and development
>>
>
>
>

I'm sorry, but I disagree with that. I've been an (unof= ficial) x86
Archtester for only 2 weeks or so and since then, i've seen more than a few stabilizations needed to address security issues. Also, i've
noticed this same problem of not seeing many/any GLSA's in recent
history. As an example, in the past month, Debian has had 13 security
advisories. I personally doubt that we (Gentoo) don't have to worry
about ANY of those 13 advisories...


--20cf303a2bc56592a904ab6bbbf9--