'Twas brillig, and Nix at 14/10/09 00:24 did gyre and gimble:
That requires me to be permanently present on IRC. I'm stuck commuting
and have to sleep so this is impractical.
I'm on IRC 24/7 and yet I do both of those things too. It's not
impractical, but I don't think it should be seen as a primary source of
info either. This list is that. IRC is just convenient.
The current system works quite well I'd say -- for the distros. You
for the distros *you choose to communicate with*, and we don't even know
who they are: it may even be a matter of whim. Everyone else is screwed.
Well FWIW, the current system works fine for me too. Sure Lennart may
ping me on IRC but all the info is on the list too.
think there's more than distros that matters. I don't. So why should I
do the additional work and you don't?
One Cc:? 'Additional work'? I'm sorry, I assumed that running a
very-low-volume one-posting-subscriber mailing list was essentially no
work if you were already running several higher-volume ones. I didn't
realise it was immensely difficult.
Pulseaudio is not a simple app and when people see an announce list they
may be tempted to think: "ahh new version, upgrade time \o/". It's
deeply integrated into stack, and synced with various other components
including the kernel and udev. An announce list would just encourage
people to bash on and try and upgrade without understanding things
fully. This list is not particularly high traffic and I think a separate
list would only encourage these "drive by" experiences which we should
be discouraging (as someone who often advices people on IRC and this
list, I'd say it's one of the most frustrating things I have to deal with).
Also, Colin maintains a -stable branch, which also includes the
security fixes -- not sure what more you need?
Aha. I didn't notice that these were still active: indeed the recent
security fix doesn't seem to have gone into the older one. I guess this
means that what I'm hoping for *is* there... except that it's not
publicised anywhere.
It's been announced on this list and the git tree speaks for itself. All
the distros know it's there.
Aha. From your phrasing I thouht it was being sent *only* to
distributors, not to distributors and this list. (I can't recall any
security-related announcements ever being made to this list. Certainly
the patching of the recent actively-exploited PA hole wasn't announced
here.)
What recent actively-exploited PA hole that wasn't announced do you
refer to? The only one I know off was announced on this list, so this is
slightly concerning to me and I'd agree that this is an issue if there
is something not actively discussed/announced here. Doesn't mean there
should be a separate list tho', and if this list hasn't had mention of
this issue, then it's highly likely that this other new list would have
either!
This is the biggest problem in the free software world, really:
responding to criticisms of major flaws with utterly trivial fixes with
'oh, you do that then'. Adding one email address to a Cc: to help all
users of your software avoid security problems is not rocket science and
takes zero effort as far as I can see, but you responded like I was
suggesting you paint the ceiling of the Sistine Chapel, with proposed
fixes which involved *insane* amounts of effort (24x7 presence on an IRC
channel come-what-may and scanning all the traffic on that channel to
spot a non-automatically-detectable notice which might come up once in
six months, if that? Come on!)
You're comments above assumes that such a list should be encouraged in
the first place.... OK a security-only list would not encourage bad
behaviour like an announce list would, but to be honest, the one or two
posts on it in the last four years probably wouldn't encourage people to
sign up to such a list anyway.
I'm on enough lists. I'd rather just use this one personally.
If you really think that upstream PA is only usable by distributors,
that's fine: everyone else should for security's sake drop it and
encourage every program that currently uses it to drop support for it as
well (otherwise they are opening all their users who do not use your
preferred distros to potential security threats).
A shame. It's fine software, better than any other desktop sound system
I've ever used, but it seems it's not safe to use unless I'm in the
right club or have infinite amounts of free time to use to follow
everything you do in micrometric detail.
You're totally overreacting. Are you really going to stop using a piece
of software because one or two emails were not sent to a specific list
designed specifically to receive this handful of email? This list serves
me and others perfectly well, so your opinions are not shared by everyone.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
_______________________________________________
pulseaudio-discuss mailing list
pulseaudio-discuss@mail.0pointer.de
https://tango.0pointer.de/mailman/listinfo/pulseaudio-discuss
