(Mild) language change suggestion: security roundup -> security survey?

I’ve been wondering about the choice of the wording “roundup” for a while (being a non-native speaker) and today took some time to check where my uneasy gut feeling came from.

So there’s two negative connotations that might be relevant enough to choose a different word, but maybe my gut feeling is off - I guess @grahamc could shed some light whether my uneasy feeling about the wording is not the same as a native speaker.

Connotation 1: Roundup (police action) - Wikipedia
Connotation 2: Roundup (herbicide) - Wikipedia

If choosing another word makes sense for others too (ignore me if it doesn’t) then I could imagine “security survey” might be a good substitute.


PS: sorry for any bike-shedding in advance …

herbicide: we want to eradicate security bugs, so that’s quite fitting, isn’t it? :smiley:

On a serious note, I believe reviewing terminology by non-natives actually has advantages – we want it to be understandable widely, including non-native people. I think when you’re very good in a language, you may sometimes tend to use unnecessarily complex language.

1 Like

Isn’t a survey something like a questionnaire?

1 Like

That’s one meaning – (5) on wiktionary. Our aim is for (3). Also from my memory the word fits OK; in science it seems often used for “survey” of the state of the art around something.

Maybe the word overview would fit here?
wiktionary lists only two meanings:
A summary and an inspection, both of which would probably fit.


I am a native English speaker and “roundup” doesn’t have negative connotations to me. It might even have a connotation of a bit of fun.

I feel like it derives from animal herding when you use horses and dogs to get your cattle or sheep into a group.

If we find an better alternative to this colloquialism, I’d be fine with switching.


Here are potential choices that come to mind:

  • “security assessment”
  • “security review”

As a non-native speaker:

  • Security roundup does sound like a herbicide, which is good (we have
    “Roundup” in France too)

  • Security survey sounds like a poll, which sounds weird

  • Security assessment and security review both sound like checking the
    code of Nixpkgs, not of the packages defined by Nixpkgs

  • I don’t know how other distros call these, but debian has Debian
    Security Advisories that tell people what security updates have been
    done, in the same way as most distros appear to have “*** Security
    Advisory”. This is not the same as “unfixed vulnerabilities”, though.

TL;DR: as a non-native the one I find least surprising in the current
proposals is “Security roundup”: it doesn’t already have a meaning I’d
have to fight against.

But there’s maybe a way to find a better word? :slight_smile:

Then, TBH I think the whole concept of vulnerability roundup is an issue
we have: vulnerabilities should be reported as they’re added and we
should either handle them (and send a Nixpkgs Security Advisory when
they’re fixed) or mark them as “not important” and stop caring about
them. Seen a nice talk from the Debian security team… but it’s in
french. If people are interested nevertheless, it’s at [1]. I must say I
don’t remember all the details, but my current internet connection is
too slow for me to look at it again, so…

[1] https://static.sstic.org/videos2018/SSTIC_2018-06-15_P06.mp4

I like the concept of bug squashing parties, and this has a lot in common with them. What about “CVE squashing parties” ? or “CVE squashing sprints” ?

Also Security Sprint #n sounds good to me, it uses a well known term in software development


English isn’t my native lang but I’m fine with the roundup term. I vaguely thought about the herbicide the first time I encountered it but not enough to bother me.

Then for alternative proposals (IMHO):

  • survey : too vague and it’s related to opinion polls to me so :confused:

  • assessment : is a clear term commonly used in infosec but it relates to the audit that needs to be done when facing a (potential) security issue ; so in the context of (FLOSS) software it relates more to the task that needs to happen upstream when a CVE is published (troubleshoot, fix, publish a patch or a maintenance release).

  • squashing parties : feels out of place, borrowed from coding events and hackathons.

  • sprint : nope because not every contributor is a professional software dev IRL (I’m not) and I don’t think security issues should be addressed in terms of “sprintable items”. It adds a vague sense of obligation (to end the sprint) and feels out of place in a community project. Plus the actual fixing should happen upstream, our job is to integrate CVE fixes in a reasonable time so users have access to less-flawed software.

  • advisory : also clear and common in infosec, it could be a good choice for us but to me it doesn’t add enough over roundup as to warrant a wording change.

In the end I’d rather stick with roundup

OR… let me make a new suggestion since we are brainstorming here : the term bulletin is also used in infosec (as much as advisory) and IMHO it carries exactly the right meaning for our use case :

a compilation of past and current (security) events that we need to be aware of