Re: Should we be alarmed at our state of security support?

To: John Goerzen <jgoerzen@complete.org>
Cc: debian-security <debian-security@lists.debian.org>
Subject: Re: Should we be alarmed at our state of security support?
From: Michael Gilbert <mgilbert@debian.org>
Date: Sat, 21 Feb 2015 13:55:16 -0500
Message-id: <[🔎] CANTw=MO_RTnJ3wrg-s4d0NWyOaGxmSvP9S=KM+ceqkforqPX9g@mail.gmail.com>
In-reply-to: <[🔎] 54E5E539.2010906@complete.org>
References: <[🔎] 54E49DA6.7050306@complete.org> <[🔎] CANTw=MOTHu8uHQcW75aGy110Sxm8c5JJpezNbeSuGSmYtQUrPw@mail.gmail.com> <[🔎] 54E5E539.2010906@complete.org>

John Goerzen wrote:
> You know, Mike, *explicit* in my original email was a question of what
> help is needed.  I was willing to pitch in and help.  I may still be.

If your goal is to help, then that's really cool.

> But how else is someone going to learn that when security-tracker says
> "vulnerable", in hundreds of instances, that may be wrong, other than by
> asking?

By spending the requisite time to get familiar with the thing you're
about to criticize before sounding of a premature alarm.

> To be insulting to someone that asked a polite question about "why does
> debsecan show hundreds of vulnerabilities on an up-to-date system" -- a
> GOOD question -- is frankly astonishing.

The sensationalism was the insult.  If the subject had been more
unsensationalized like, "how can I help?" then I would not have
pressed you with such a critical tone.

In fact Alessandro Ghedini asked just that a few weeks ago, which
started a productive conversation, and within that short time, he is
already editing the tracker, preparing security updates, and releasing
DSAs.

If you want to improve the current state, then that's awesome, but you
need to be willing to volunteer time, learning, and effort to make it
happen.

Criticism without action is bound to be counter-productive.

> Rather than insulting those that might jump in to help, you might send
> links to information on how to pitch in and be of assistance.  Frankly
> if the security team is going to be this prickly, the costs of dealing
> with personalities will eat up too much of my time and drain the
> satisfaction out of doing something useful for me.

Here are some links to get you started:
https://security-tracker.debian.org/tracker/
http://security-team.debian.org/security_tracker.html

If the documentation isn't clear about any particular concern of
yours, then please feel free to improve it or ask questions, and we
can provide answers that can be used to improve it.

Best wishes,
Mike

Reply to:

References:
- Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>
- Re: Should we be alarmed at our state of security support?
  - From: Michael Gilbert <mgilbert@debian.org>
- Re: Should we be alarmed at our state of security support?
  - From: John Goerzen <jgoerzen@complete.org>

Prev by Date: Re: Debian Live CD - unsecured ssh open by default
Next by Date: Re: [SECURITY] [DSA 3164-1] typo3-src security update
Previous by thread: Re: Should we be alarmed at our state of security support?
Next by thread: AUTO: Fredo Strüber is out of the office (Rückkehr am 19.02.2015)
Index(es):
- Date
- Thread