On Wed, Jul 6, 2016 at 7:48 AM, Anthony G. Basile <bluen...@gentoo.org> wrote: > > It doesn't matter, there is a problem here which needs to be addressed. > I'm complaining because we need to fix a problem in our workflow. It > sounds like K_F is working on a glep for that, which I applaud. >
Is everybody here at least agreed that this particular situation was not handled well? That was my sense of it earlier in the thread, but it seems like we're trying to argue over whether it was. If so, then let's move forward with better policy/etc. One-offs don't concern me much. However, it seems pretty obvious to me that if a typical package is suspected of creating a world-readable log file the reaction shouldn't be to mask it before talking to the maintainer. About the only thing that should warrant something like that is something like an sshd bug that lets arbitrary remote attackers connect as arbitrary users without authentication, and then the solution shouldn't be just a mask, but also some kind of immediate announcement (which is something we lack - we issue GLSAs sometimes ages after something is fixed on x86/amd64). Granted, that should be news enough that people are getting the message in other ways unless it is Gentoo-specific. I believe we already have a security severity classification system of some kind with targeted response times, so maybe we can tie policy into that? Like I said, one mistake doesn't make a trend, and we shouldn't over-react to a mistake. However, the way to handle a mistake is for everybody to say "this was a mistake," not "you're the only person who has a problem with this." Let's just fix whatever broke (if it isn't already fixed) and move on. We don't need to defend mistakes. -- Rich