1 |
On Wed, Feb 9, 2011 at 9:08 AM, "Paweł Hajdan, Jr." |
2 |
<phajdan.jr@g.o> wrote: |
3 |
> I think http://www.gentoo.org/security/en/vulnerability-policy.xml |
4 |
> specifies the target delay, and also mentions temporary GLSAs. |
5 |
> Unfortunately, that process does not seem to be followed due to general |
6 |
> difficulty of drafting GLSAs (I don't even know what is the problem, as |
7 |
> GLSAmaker is only available to security team members). |
8 |
> |
9 |
|
10 |
I think the policy itself is completely appropriate, and of course |
11 |
publishing it makes the process transparent to the users. |
12 |
|
13 |
I think our problem is more with complying with that policy. |
14 |
|
15 |
I have heard similar complaints about GLSAmaker. I half-wonder if it |
16 |
would make more sense to just edit the xml files directly and validate |
17 |
them with a tool, and send out an email, if the tool really is that |
18 |
bad. |
19 |
|
20 |
Could the security team use a staff position of some kind that an |
21 |
interested user could take on that handled some of the more |
22 |
administrative aspects of security bugs? Maybe we aren't that bad at |
23 |
fixing our code, but nobody wants to sit around tinkering with |
24 |
notices/etc. Perhaps we might have interested users who wouldn't mind |
25 |
sending out notices and closing bugs who otherwise might not want to |
26 |
or be able to maintain ebuilds/etc? |
27 |
|
28 |
Rich |