1 |
On 07/17/2010 07:02 PM, Petteri Räty wrote: |
2 |
>> Do stabilisations on the security bug so arch team members can skim |
3 |
>> through their stabilisation list by just looking for security@g.o to |
4 |
>> find the vulnerable packages. |
5 |
>> |
6 |
>> V-Li |
7 |
>> |
8 |
> |
9 |
> If you want things to happen this way then it should be at least |
10 |
> documented in the devmanual. |
11 |
|
12 |
It's in the security project's policy: |
13 |
"once an ebuild is committed, evaluate what keywords are needed for the |
14 |
fix ebuild and get arch-specific teams to test and mark the ebuild |
15 |
stable on their architectures (arch-teams should be cc'd on the bug, as |
16 |
well as releng during release preparation) and set status whiteboard to |
17 |
stable" |
18 |
http://www.gentoo.org/security/en/vulnerability-policy.xml, Chapter 4 |
19 |
|
20 |
As the CC'ing should be done by the security folks/the maintainer when a |
21 |
new ebuild is ready, I don't think it needs to be in devmanual. The |
22 |
relevant people should be aware of the process. |