I’ve been wondering about the choice of the wording “roundup” for a while (being a non-native speaker) and today took some time to check where my uneasy gut feeling came from.
So there’s two negative connotations that might be relevant enough to choose a different word, but maybe my gut feeling is off - I guess @grahamc could shed some light whether my uneasy feeling about the wording is not the same as a native speaker.
On a serious note, I believe reviewing terminology by non-natives actually has advantages – we want it to be understandable widely, including non-native people. I think when you’re very good in a language, you may sometimes tend to use unnecessarily complex language.
That’s one meaning – (5) on wiktionary. Our aim is for (3). Also from my memory the word fits OK; in science it seems often used for “survey” of the state of the art around something.
Security roundup does sound like a herbicide, which is good (we have
“Roundup” in France too)
Security survey sounds like a poll, which sounds weird
Security assessment and security review both sound like checking the
code of Nixpkgs, not of the packages defined by Nixpkgs
I don’t know how other distros call these, but debian has Debian
Security Advisories that tell people what security updates have been
done, in the same way as most distros appear to have “*** Security
Advisory”. This is not the same as “unfixed vulnerabilities”, though.
TL;DR: as a non-native the one I find least surprising in the current
proposals is “Security roundup”: it doesn’t already have a meaning I’d
have to fight against.
But there’s maybe a way to find a better word?
Then, TBH I think the whole concept of vulnerability roundup is an issue
we have: vulnerabilities should be reported as they’re added and we
should either handle them (and send a Nixpkgs Security Advisory when
they’re fixed) or mark them as “not important” and stop caring about
them. Seen a nice talk from the Debian security team… but it’s in
french. If people are interested nevertheless, it’s at [1]. I must say I
don’t remember all the details, but my current internet connection is
too slow for me to look at it again, so…
English isn’t my native lang but I’m fine with the roundup term. I vaguely thought about the herbicide the first time I encountered it but not enough to bother me.
Then for alternative proposals (IMHO):
survey : too vague and it’s related to opinion polls to me so
assessment : is a clear term commonly used in infosec but it relates to the audit that needs to be done when facing a (potential) security issue ; so in the context of (FLOSS) software it relates more to the task that needs to happen upstream when a CVE is published (troubleshoot, fix, publish a patch or a maintenance release).
squashing parties : feels out of place, borrowed from coding events and hackathons.
sprint : nope because not every contributor is a professional software dev IRL (I’m not) and I don’t think security issues should be addressed in terms of “sprintable items”. It adds a vague sense of obligation (to end the sprint) and feels out of place in a community project. Plus the actual fixing should happen upstream, our job is to integrate CVE fixes in a reasonable time so users have access to less-flawed software.
advisory : also clear and common in infosec, it could be a good choice for us but to me it doesn’t add enough over roundup as to warrant a wording change.
In the end I’d rather stick with roundup …
OR… let me make a new suggestion since we are brainstorming here : the term bulletin is also used in infosec (as much as advisory) and IMHO it carries exactly the right meaning for our use case :
a compilation of past and current (security) events that we need to be aware of
