| 1 |
On Wed, Feb 9, 2011 at 9:08 AM, "Paweł Hajdan, Jr." |
| 2 |
<phajdan.jr@g.o> wrote: |
| 3 |
> I think http://www.gentoo.org/security/en/vulnerability-policy.xml |
| 4 |
> specifies the target delay, and also mentions temporary GLSAs. |
| 5 |
> Unfortunately, that process does not seem to be followed due to general |
| 6 |
> difficulty of drafting GLSAs (I don't even know what is the problem, as |
| 7 |
> GLSAmaker is only available to security team members). |
| 8 |
> |
| 9 |
|
| 10 |
I think the policy itself is completely appropriate, and of course |
| 11 |
publishing it makes the process transparent to the users. |
| 12 |
|
| 13 |
I think our problem is more with complying with that policy. |
| 14 |
|
| 15 |
I have heard similar complaints about GLSAmaker. I half-wonder if it |
| 16 |
would make more sense to just edit the xml files directly and validate |
| 17 |
them with a tool, and send out an email, if the tool really is that |
| 18 |
bad. |
| 19 |
|
| 20 |
Could the security team use a staff position of some kind that an |
| 21 |
interested user could take on that handled some of the more |
| 22 |
administrative aspects of security bugs? Maybe we aren't that bad at |
| 23 |
fixing our code, but nobody wants to sit around tinkering with |
| 24 |
notices/etc. Perhaps we might have interested users who wouldn't mind |
| 25 |
sending out notices and closing bugs who otherwise might not want to |
| 26 |
or be able to maintain ebuilds/etc? |
| 27 |
|
| 28 |
Rich |
Archives