I just wanted to clarify that my intent is not to complain, or to imply that Gentoo devs aren't working hard enough, or that "Gentoo sucks" or anything of the sort; I may have transmitted the wrong impression in my previous email, for which I apologize. It is precisely because I appreciate the dedicated effort of all the Gentoo volunteers, and the high standards of quality which this distribution has always maintained, that I would hate to see such efforts subjected to unfair criticism due to a few isolated procedural problems.
The problem here wasn't, in my opinion, a lack of effort by anyone; as noted before, the fix was in the tree within hours, or within a day. The thing is, for whatever reason, the fix only came out a contextually very long time after that. This is what concerns me, and others I'm sure. It's very bad for the image of Gentoo, it gives the impression that you don't take security as seriously as others, and this -- at least in my view -- couldn't be farther from the truth. The main reason I use Gentoo Hardened on critical servers is precisely due to the effort and commitment put in by the security team at every level, from the kernel and toolchain to the user packages themselves. Nevertheless, the fact remains that anyone using Hardened was left open to a vulnerability for a longer time than would have been necessary, given that the fix was already implemented within the tree. Also, I am concerned for the users of normal gentoo-sources, who were vulnerable for a very extended period of time. I believe that it would be a positive thing to analyze what happened, and try to learn from it so that next time things go better. I would submit that sometimes, a lengthy procedure may get in the way of getting things done; or at least, that the established procedure should be more flexible to account for these cases. Regards, Israel On 10/17/2010 02:59 PM, Israel G. Lugo wrote: > Greetings, > > So what's the conclusion on what happened with bug 337645? What can we > learn from here? That everything went just fine and according to plan? > That hardly seems like a realistic assessment. If we ignore mistakes > instead of learning from them, we are doomed to repeat them. > > [...]
