Miguel Filipe writes:
> I came "sounding like an ass"? Why is that?
Because you criticized the Gentoo project. It works like this: You bring up a security problem. In the replies you get, though, your actual point is flat out dismissed or never addressed at all. Instead, you and your behavior will be discussed in a very provoking manner. Once you have been thoroughly annoyed and insulted, you become defensive and lose focus of what you were trying to say in the first place! Thus, the discussion drifts away from the security problem.
Peter, please don't start your rant again.
> Because I talked about a LOCAL ROOT EXPLOIT ..that isn't > mentioned in the GENTOO SECURITY ML because its in the > bugs repository?
The advantage of dealing with security problems _only_ in the bug tracking system is that practically nobody follows the bug tracking system -- whereas lots of people read the mailing list. Thus, there is less transparency, which means more freedom for the Gentoo core team to deal with security problems in a way that doesn't interfere with internal politics (read: egos).
The reason you haven't seen an email about it is because security advisories get sent to gentoo-announce. It was decided a few years ago to move those emails from here to there because there were a lot more people on that list. The other reason you haven't seen any email about this from us is because we go through a process to make sure all the ebuilds are updated before we release an announcement (which is documented on our site [1] ). Its not being ignored one bit, its just not very visible unless you follow bugs.
> If issues like a LOCAL ROOT EXPLOIT aren't mentioned > here, WHY THE HELL does this ML exist?
As it happens, I have a concrete proposal how to make this list more useful! How about having the bug tracking system forward all new security-related entries to this mailing list automatically? This policy would (a) increase transparency and (b) help finding volunteers from the community who care enough about a problem to be willing to dedicate time to fixing it. Thus: less work for the Gentoo core team, more security for everybody.
Add a watch on the bugs site like was previously mentioned. Perhaps that should be better documented so people like him can follow things like that.
> Where is explained that those who want to follow security > issues that may affect thier systems should track > bugs.gentoo.org?
I'd very much like to see an answer to this question. The page <http://security.gentoo.org/> doesn't seem to say anything about.
See above. If this needs to be added, make a bug about it.
[1] http://www.gentoo.org/security/en/vulnerability-policy.xml
-Lance
-- [email protected] mailing list
