Re: Use of DSA number for general announcements

To: debian-security@lists.debian.org
Subject: Re: Use of DSA number for general announcements
From: Nico Golde <debian-security+ml@ngolde.de>
Date: Sat, 15 Sep 2012 18:19:08 +0200
Message-id: <[🔎] 20120915161908.GP17642@ngolde.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 5054965E.1060704@mikemestnik.net>
References: <20120913103312.GA28805@ngolde.de> <[🔎] 5052882F.7060201@debian.org> <[🔎] 6a6d36035560b0b170b587b5751eecb0.squirrel@wm.kinkhorst.nl> <[🔎] 5054965E.1060704@mikemestnik.net>

Hi,
* Mike Mestnik <cheako+debian-security@mikemestnik.net> [2012-09-15 17:05]:
> On 09/14/12 00:47, Thijs Kinkhorst wrote:
> > On Fri, September 14, 2012 03:28, David Prevot wrote:
> >>> This is a notice to inform you, that our previous PGP/GPG key expired.
> >>
> >> Thanks for notifying us on debian-security-announce@l.d.o, but I
> >> disagree that such an announcement deserves a DSA number. DSA-2360 was
> >> also a misuse of a DSA number IMHO, and would have deserved a copy on
> >> wider audience (e.g. on debian-announce@l.d.o). Please don't hesitate to
> >> get in touch with the press or publicity team next time you prepare a
> >> big announcement.
> > 
> > Well, this is of course how we 'always' do it. I'm not sure I understand:
> > why is it a problem to use (even misuse?) a number? They are free and we
> > have ample supply.
> > 
> > I doubt a technicallity like a key rollover, which is only relevant for
> > people actively conversing with the security team, is useful to post to
> > debian-announce.
> > 
> I think DSA should be used for communicating information to the person
> who calls or schedules calls to apt-get and the like....  not for
> communicating to ppl who actively converse with the security team, these
> are defiantly two different groups on ppl.

You are discussing a problem that is none in practice. Researchers who 
want to communicate with us will notice the key is expired if they want to use 
it. And guess where they look for a new one? security.debian.org.
It's not like this announcement is the only place where this key change is 
visible. It's not like researchers depend on this particular announcement to 
successfully communicate with us.

I'd also like to point out that DSA mails are forwarded to relevant lists like 
full-disclosure and bugtraq. List people in the security industry read.
No researcher, unless he is a very dedicated Debian fan will ever read 
debian-announce.

There is no problem, can we please all move on and fix stuff instead of 
wasting time with this discussion?

Thanks.
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA

Attachment: pgpZZK1Sv8ElF.pgp
Description: PGP signature

Reply to:

References:
- Use of DSA number for general announcements (was: [DSA 2548-1] Debian Security Team PGP/GPG key change notice)
  - From: David Prévot <taffit@debian.org>
- Re: Use of DSA number for general announcements (was: [DSA 2548-1] Debian Security Team PGP/GPG key change notice)
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Use of DSA number for general announcements
  - From: Mike Mestnik <cheako+debian-security@mikemestnik.net>

Prev by Date: Re: Use of DSA number for general announcements
Next by Date: Re: Use of DSA number for general announcements
Previous by thread: Re: Use of DSA number for general announcements
Next by thread: Re: Use of DSA number for general announcements
Index(es):
- Date
- Thread