[arch-general] [arch-security] [Announcement] Discussion about restricting arch-security for public participation

Sat Jan 30 18:48:06 UTC 2016

> In my opinion I don't feel like we are urged to have a separate list as
> most of the time the topics blur the line and splitting it does not
> provide much benefit.

   Distributions tend to have own security lists so that people can 
receive security related stuff, only. To me there is simply too much 
irrelevant traffic with regards to security related topics on the 
arch-general list.
   Getting posts about imminent and potential security risks from many 
different sides is f.i. something I still estimate about the Debian 
security list very much. Besides the fact that many people from the 
security list previously also open for discussion will not participate 
in a discussion here I wanna say that I would still estimate an own list 
for security discussion if not achieving the current security list to be 
opened up for posts from various sides again. If you do not want any 
discussion there simply rename this list from  "Discussion about 
security issues in Arch" into "Security Announcements for Arch". Then it 
will be clear to everyone that this list is not for posing security 
related questions or just having a discussion.

Am 2016-01-28 um 17:29 schrieb Levente Polyak:
 > On 01/28/2016 04:29 PM, Elmar Stellnberger wrote:
 >> >P.S. Slightly off-topic: my sincerest gratitude to everyone behind the
 >> >security announcements! You're doing a great job, and this is not just
 >> >empty words.
 >> >
 > Thank you very much, that is appreciated and makes us happy... however
 > to be pedantic: Most of the work needs to be done before any
 > announcements, that is just the (smallest) final step:)

   No doubt, the Arch as well as other indipendent security teams are 
currently doing a great job! It needs to be said twice. Nonetheless 
there are two things that should be mentioned: First of all if there is 
something that I keep estimating most about the many Open Source 
communities then it is people always being open for contribution, input 
and discussion from various sides. Secondly we can not suggest to people 
that they are in a safe place just because they are using up to date OSS 
software by the time. Many serious and dire security vulnerabilities 
(leading f.i. to arbitrary code execution or privilege escalation) have 
recently been closed not just in the Chrome and Firefox browser but 
there may very likely be further issues; i.e. keep your work going, I 
just wanna see a more secure OSS environment for the future!

Elmar