Now there are different opinions about this:
Some people certainly estimate comments, questions and discussion about
security issues which do not solely pertain to updates of packages for
already known security issues. Allowing discussion about potential
security risks is also an important issue though certain package
maintainers and arch-security personnel may feel discomforted about such
discussions. Nonetheless I would believe such discussion to be
worthwhile and important. Those who do not want to read it will not need
to as soon as we have separate lists for "Discussion about security
issues in Arch" and "Package updates for Arch resolving already known
security issues".
Just read f.i. the following message from Luchesar V. ILIEV:
-------- Weitergeleitete Nachricht --------
Betreff: Re: [arch-security] strange netstat connections after having
opened Firefox
Datum: Sat, 5 Dec 2015 15:46:32 +0200
Von: Luchesar V. ILIEV <luchesar.iliev@xxxxxxxxx>
Antwort an: Discussion about security issues in Arch Linux and its
packages <arch-security@xxxxxxxxxxxxx>
An: Discussion about security issues in Arch Linux and its packages
<arch-security@xxxxxxxxxxxxx>
On 5 December 2015 at 14:01, Christian Rebischke
<Chris.Rebischke@xxxxxxxxxxxxx> wrote:
> This mailinglist has a daily-business todo and was not designed for
> discussions. [...]
The list name however says "Discussion about security issues in Arch
Linux and its packages". That being said, I understand what you mean
and agree with it.
> [...] This mailinglist's main task is to
> inform subscribers about newest vulnerabilities.
So, could perhaps the list be split into two: one list for
security-related discussions and one---moderated or even
"read-only"---strictly for security announcements? For example,
FreeBSD has these:
freebsd-security: Security issues [members-only posting]
freebsd-security-notifications: Moderated Security Notifications
[moderated, low volume]
The rationale is probably obvious. On one hand, people indeed expect a
list used for security announcements to be used _only_ for this. Some
might, for example, have set filters that mark such messages as
urgent, display nagging pop ups, etc. On the other hand, the plain old
e-mail still has value as a media for discussions. For example, it's
not very practical to digitally sign forum postings, and IRC is a
wholly different type of communication that might not always be
appropriate.
Cheers,
Luchesar
P.S. Slightly off-topic: my sincerest gratitude to everyone behind the
security announcements! You're doing a great job, and this is not just
empty words.
Am 2016-01-28 um 13:06 schrieb Elmar Stellnberger:
I see that there is certain interest in separating messages about
security updates in given packages from general security discussions and
announcements. Nonetheless if the arch-security list becomes closed down
for public participation then we are in need of a new list for the
latter two purposes.
Am 2016-01-28 um 01:41 schrieb Levente Polyak:
Dear arch-security subscribers,
Dear arch-general subscribers,
the policy of the arch-security mailinglist is currently changed to a
restricted advisory announcements only list due to certain reason
roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
As there was no announcement and discussion about this change yet, we
want to invite you to discuss the restriction of the arch-security
mailinglist on the CC-ed arch-general list. After making sure you are
subscribed to arch-general [2], you can simply reply to this
announcement by posting directly to the arch-general mailinglist.
Our main goal behind this change is to separate relevant official
announcements and advisories from possibly long and frequent
discussions. The security teams idea is that each announcement to the
arch-security list should be considered as an urgent alert and reviewed
as soon as possible, without the need to filter them from general
conversations and exchange of "unverified" information.
sincerely,
Levente (anthraxx)
[0]
https://lists.archlinux.org/pipermail/arch-devops/2016-January/000007.html
[1]
https://lists.archlinux.org/pipermail/arch-dev-public/2015-December/027581.html
[2] https://lists.archlinux.org/listinfo/arch-general
