On Thu, 13 Nov 2008 12:55:36 -0500 "Ted Unangst" <[EMAIL PROTECTED]> wrote:
> On Thu, Nov 13, 2008 at 12:35 PM, Aaron W. Hsu <[EMAIL PROTECTED]> wrote: > > Is security-announce an open list? If not, give me access and I'll > > keep it reasonably up to date, give or take a day or so of release of > > the Security Errata on the website, unless there is an even faster way > > of checking it out, such as CVS. > > It is moderated, and really, outsiders should not be posting to it > because then it appears that they have some position of authority. > The only person who should be posting to the list is the person who > made the fix, because they are the security contact. When people > reply, it is important they are talking to the right person. Okay, I can see why everyone would prefer to see the developer's sending their own fixes -- this is convenient to the users, though not to the developers. However, it is obvious that the developers do not wish to do this, have no time to bother with it, and aren't concerned at all. I don't blame them, that's perfectly legitimate. So we should get someone else to do it, because some people do care about having semi-timely security announcements on a mailing list. I also see no reason why someone announcing a security announcement that is detailed elsewhere should be required to be a developer heavily involved in the development process. The very nature of this suggests that people who meet this requirement will not have the motivation or time to do this. There is nothing wrong with having someone else assigned to the task. > What you can do is monitor the list. If an erratum comes out and > nothing happens for a day, email the person responsible and remind > them. The person responsible is not necessarily the person who > happened to commit to stable, though, it's the person who made the > original fix. There's no announcements on the list because probably > half the developers don't know they are supposed to make such > announcements. You're implying ignorance of the developers, which I doubt. They don't care about it, and we shouldn't be nagging them about it. Instead, we should do something, rather than just being on the outside bugging them like annoying gnats. I'm offering to do the work. OpenBSD as a whole may not want me to do anything, but that's not my fault. At least I'm trying to *do* something; I don't consider nagging people who don't have time or motivation or reason to bother with such things to be an useful thing to do. -- Aaron W. Hsu <[EMAIL PROTECTED]> | <http://www.sacrideo.us> "Government is the great fiction, through which everybody endeavors to live at the expense of everybody else." -- Frederic Bastiat +++++++++++++++ ((lambda (x) (x x)) (lambda (x) (x x))) ++++++++++++++
