On Mon, 26 Jan 2015 09:20:30 -0500 Rich Freeman <ri...@gentoo.org> wrote:
> On Mon, Jan 26, 2015 at 8:21 AM, Duncan <1i5t5.dun...@cox.net> wrote: > > The result of the current policy is that if you're waiting for the > > GLSA, unless it's _extreme_ priority (heartbleed level), on at > > least amd64, you're very often sitting there exposed for well over > > a week, and too often a month, after the fix is out there, actually > > installed on /my/ systems. And to me that's a game of Russian > > Roulette odds that I'm simply not willing to play. > > From a PR standpoint we'll be communicating to some users that they > are vulnerable, and we haven't completely fixed the issue yet. I > think we just need to reset expectations here. The fact is that today > they're just as vulnerable, but we don't broadcast that. Sending out > notice sooner will help out users who want to update based on GLSAs, > and if there isn't a stable version yet the user can decide whether to > just wait for testing or move ahead on their own. I do check also other sources of security related info and take measures if it affects me (update affected package, change configuration, ...). I should say earlier "security updates" instead of "GLSAs" which would be actually closer to reality. I agree that (unfixed) security issues should be communicated so we do not put false hopes to GLSA. Robert -- Róbert Čerňanský E-mail: ope...@tightmail.com Jabber: h...@jabber.sk