[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Should we be alarmed at our state of security support?

John Goerzen wrote:
> You know, Mike, *explicit* in my original email was a question of what
> help is needed.  I was willing to pitch in and help.  I may still be.

If your goal is to help, then that's really cool.

> But how else is someone going to learn that when security-tracker says
> "vulnerable", in hundreds of instances, that may be wrong, other than by
> asking?

By spending the requisite time to get familiar with the thing you're
about to criticize before sounding of a premature alarm.

> To be insulting to someone that asked a polite question about "why does
> debsecan show hundreds of vulnerabilities on an up-to-date system" -- a
> GOOD question -- is frankly astonishing.

The sensationalism was the insult.  If the subject had been more
unsensationalized like, "how can I help?" then I would not have
pressed you with such a critical tone.

In fact Alessandro Ghedini asked just that a few weeks ago, which
started a productive conversation, and within that short time, he is
already editing the tracker, preparing security updates, and releasing

If you want to improve the current state, then that's awesome, but you
need to be willing to volunteer time, learning, and effort to make it

Criticism without action is bound to be counter-productive.

> Rather than insulting those that might jump in to help, you might send
> links to information on how to pitch in and be of assistance.  Frankly
> if the security team is going to be this prickly, the costs of dealing
> with personalities will eat up too much of my time and drain the
> satisfaction out of doing something useful for me.

Here are some links to get you started:

If the documentation isn't clear about any particular concern of
yours, then please feel free to improve it or ask questions, and we
can provide answers that can be used to improve it.

Best wishes,

Reply to: