| 1 |
On 2/9/11 2:57 PM, Rich Freeman wrote: |
| 2 |
> Perhaps we should target having glsas published within a certain |
| 3 |
> amount of time after a vulnerability is disclosed, whether corrected |
| 4 |
> or not. We could re-publish a final notice once all is well. We |
| 5 |
> really shouldn't consider users safe from a security vulnerability |
| 6 |
> until the vulnerability is patched in the tree AND the notice to |
| 7 |
> update has been sent out. |
| 8 |
|
| 9 |
I think http://www.gentoo.org/security/en/vulnerability-policy.xml |
| 10 |
specifies the target delay, and also mentions temporary GLSAs. |
| 11 |
Unfortunately, that process does not seem to be followed due to general |
| 12 |
difficulty of drafting GLSAs (I don't even know what is the problem, as |
| 13 |
GLSAmaker is only available to security team members). |
Archives