1 |
On 07/17/2010 08:50 PM, Matti Bickel wrote: |
2 |
> On 07/17/2010 07:02 PM, Petteri Räty wrote: |
3 |
>>> Do stabilisations on the security bug so arch team members can skim |
4 |
>>> through their stabilisation list by just looking for security@g.o to |
5 |
>>> find the vulnerable packages. |
6 |
>>> |
7 |
>>> V-Li |
8 |
>>> |
9 |
>> |
10 |
>> If you want things to happen this way then it should be at least |
11 |
>> documented in the devmanual. |
12 |
> |
13 |
> It's in the security project's policy: |
14 |
> "once an ebuild is committed, evaluate what keywords are needed for the |
15 |
> fix ebuild and get arch-specific teams to test and mark the ebuild |
16 |
> stable on their architectures (arch-teams should be cc'd on the bug, as |
17 |
> well as releng during release preparation) and set status whiteboard to |
18 |
> stable" |
19 |
> http://www.gentoo.org/security/en/vulnerability-policy.xml, Chapter 4 |
20 |
> |
21 |
> As the CC'ing should be done by the security folks/the maintainer when a |
22 |
> new ebuild is ready, I don't think it needs to be in devmanual. The |
23 |
> relevant people should be aware of the process. |
24 |
> |
25 |
|
26 |
If relevant people already know the policy and act accordingly then why |
27 |
do we have this thread in the first place? |
28 |
|
29 |
Regards, |
30 |
Petteri |