1 |
On 2/9/11 2:57 PM, Rich Freeman wrote: |
2 |
> Perhaps we should target having glsas published within a certain |
3 |
> amount of time after a vulnerability is disclosed, whether corrected |
4 |
> or not. We could re-publish a final notice once all is well. We |
5 |
> really shouldn't consider users safe from a security vulnerability |
6 |
> until the vulnerability is patched in the tree AND the notice to |
7 |
> update has been sent out. |
8 |
|
9 |
I think http://www.gentoo.org/security/en/vulnerability-policy.xml |
10 |
specifies the target delay, and also mentions temporary GLSAs. |
11 |
Unfortunately, that process does not seem to be followed due to general |
12 |
difficulty of drafting GLSAs (I don't even know what is the problem, as |
13 |
GLSAmaker is only available to security team members). |