Daniel Ostrow wrote:
You are correct, there is no clear cut place for them to go...that's how
this thing got started in the first place. However why force users to
sign up for something which can't be appropriately filtered (installed
packages, keywords, use flags, profiles, etc.) when all of them are
already "signed up" for something that can track and filter, portage.
I wouldn't necessarily bother signing up for an errata list if said list
was going to provide me with *all* the errata out there. The reason that
a mailing list works for RedHat is because RHN tracks what packages you
have installed on your system on *their* server (again something you
have to sign up for, and worse send them info about your configuration),
so the filtering is done for you. We will *never* do something like
this, we have a client side tool that can identify what is installed
already...why not use it?
What if an admin just wants to see all errata messages because (s)he
doesn't feel like aggregating the unique messages from a whole cluster
of machines running Gentoo with all different packages installed?
It is a well-known fact that removing seemingly useless background noise
can cause relations between problems not to be recognised. Some users
know that and hence would like to see all errata.
Our GLSAs are sent out exactly in the same way, but there is not a word
on them in the GLEP, neither does anyone seem to care about them, while
they seem to me at least ***VERY*** important, that is, much more
important than a message about breaking my installation. And they
aren't even personalised!
Users don't care about security[1], adminstrators do.
Administrators don't care about breaking installations[2], users do.
About the RHN subscription thing, that service is IMHO quite expensive
(certainly not free) and not available to Fedora Core users. I don't
think you _want_ to compare Gentoo Linux Free support to support
provided by commercial entities for an annual membership fee.
The issue whether news or GLSAs are important and whether they can be
read or not is of relevance with regard to the motivation of the GLEP
which assumes it doesn't work for anybody, while I claim it 1) doesn't
work because the information is hard to find and 2) it will work for a
certain group of people very well if the information would be there.
To conclude my far too lengthy replies here:
I'd like to see some recognition that the world isn't that flat as the
GLEP suggests, thereby including opportunities for everyone to be happy
with the GLEP. I already stated this in my first reply in my part on
"use-scenarios".
Don't worry I'll shut up now as there is clearly no interest for a bit
broader thinking.
[1] (linux) desktop users are of a much lower target than big companies
for security exploits
[2] administrators try out package upgrades on a spare box first, users
usually don't have such box, or risk the potential impact
--
Fabian Groffen
Gentoo for Mac OS X Project -- Interim Lead
--
gentoo-dev@gentoo.org mailing list
