Now there are different opinions about this: Some people certainly estimate comments, questions and discussion about security issues which do not solely pertain to updates of packages for already known security issues. Allowing discussion about potential security risks is also an important issue though certain package maintainers and arch-security personnel may feel discomforted about such discussions. Nonetheless I would believe such discussion to be worthwhile and important. Those who do not want to read it will not need to as soon as we have separate lists for "Discussion about security issues in Arch" and "Package updates for Arch resolving already known security issues". Just read f.i. the following message from Luchesar V. ILIEV: -------- Weitergeleitete Nachricht -------- Betreff: Re: [arch-security] strange netstat connections after having opened Firefox Datum: Sat, 5 Dec 2015 15:46:32 +0200 Von: Luchesar V. ILIEV <luchesar.iliev@gmail.com> Antwort an: Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org> An: Discussion about security issues in Arch Linux and its packages <arch-security@archlinux.org> On 5 December 2015 at 14:01, Christian Rebischke <Chris.Rebischke@archlinux.org> wrote:
This mailinglist has a daily-business todo and was not designed for discussions. [...]
The list name however says "Discussion about security issues in Arch Linux and its packages". That being said, I understand what you mean and agree with it.
[...] This mailinglist's main task is to inform subscribers about newest vulnerabilities.
So, could perhaps the list be split into two: one list for security-related discussions and one---moderated or even "read-only"---strictly for security announcements? For example, FreeBSD has these: freebsd-security: Security issues [members-only posting] freebsd-security-notifications: Moderated Security Notifications [moderated, low volume] The rationale is probably obvious. On one hand, people indeed expect a list used for security announcements to be used _only_ for this. Some might, for example, have set filters that mark such messages as urgent, display nagging pop ups, etc. On the other hand, the plain old e-mail still has value as a media for discussions. For example, it's not very practical to digitally sign forum postings, and IRC is a wholly different type of communication that might not always be appropriate. Cheers, Luchesar P.S. Slightly off-topic: my sincerest gratitude to everyone behind the security announcements! You're doing a great job, and this is not just empty words. Am 2016-01-28 um 13:06 schrieb Elmar Stellnberger:
I see that there is certain interest in separating messages about security updates in given packages from general security discussions and announcements. Nonetheless if the arch-security list becomes closed down for public participation then we are in need of a new list for the latter two purposes.
Am 2016-01-28 um 01:41 schrieb Levente Polyak:
Dear arch-security subscribers, Dear arch-general subscribers,
the policy of the arch-security mailinglist is currently changed to a restricted advisory announcements only list due to certain reason roughly explained on the arch-devops [0] and arch-dev-public [1] lists.
As there was no announcement and discussion about this change yet, we want to invite you to discuss the restriction of the arch-security mailinglist on the CC-ed arch-general list. After making sure you are subscribed to arch-general [2], you can simply reply to this announcement by posting directly to the arch-general mailinglist.
Our main goal behind this change is to separate relevant official announcements and advisories from possibly long and frequent discussions. The security teams idea is that each announcement to the arch-security list should be considered as an urgent alert and reviewed as soon as possible, without the need to filter them from general conversations and exchange of "unverified" information.
sincerely, Levente (anthraxx)
[0] https://lists.archlinux.org/pipermail/arch-devops/2016-January/000007.html
[1] https://lists.archlinux.org/pipermail/arch-dev-public/2015-December/027581.h...