Rich Freeman wrote, on 08/27/2011 03:06 PM: > However, that isn't really what we're discussing here. What we're > talking about is GLSAs vs no GLSAs. Working automated GLSAs > apparently don't exist right now. It is wonderful that a bunch of > people are looking to change that, however it doesn't really change > the fact that we're not sending out GLSAs, and that makes it hard for > people to take Gentoo seriously as a distro.
Yes, we are aware of that. We know it's very unfortunate, but just *stating* it doesn't get us more manpower. > If the new tool were > just a few weeks away then a few posts to -dev/-security updating > status would probably alleviate concerns. However, I think that > people have been talking about fixing the GLSA tool for ages now. We currently believe the tool *is* just a few weeks away; we plan to meet in person at the end of September. But I don't want to promise anything as real life may get in the way anytime. > I think the fundamental problem is failing to distinguish between > operations and improvements. You can't put the former on hold to work > on the latter. Sure, but that is not the case. It's still possible to use the old GLSAmaker and send out advisories; the problem is manpower. No-one currently wants to do the work with the old tool (And no, editing XML files manually won't motivate people either). > When resource constraints hit a volunteer project, the solution is > usually to create a more distributed solution. That's similar to the bug wrangling situation a while ago. The queue was huge and everyone knew we needed more people to wrangle the bugs. But how many people actually did that for more than a few? Not even a handful. Having maintainers "care" about security just won't work out. That's why the security team exists in the first place.
