Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
On Mon, 2007-04-16 at 08:32 -0500, Kurt Lieber wrote:
> On 4/16/07, Calum <caluml@...> wrote:
> > But the infrastructure is already in place for GLSA's.
>
> You have to chase
> security people down to draft the GLSA. You have to chase more
> security people down to peer review the GLSA.
In my limited experience with vulnerabilities in packages I maintain.
The problem or delays seem to be with the last two steps listed. Not to
simplify them by any means, or the preceding steps.
http://bugs.gentoo.org/show_bug.cgi?id=173122
http://bugs.gentoo.org/show_bug.cgi?id=169433
Not to mention in my case upstream had already acted or etc, so no
patching or etc was needed on my behalf. Just bumps and stabilization if
anything.
> I don't know that we've ever formally quantified how much time an
> average GLSA takes, but my semi-educated guess would be in the
> neighborhood of 10 hours per package.
I would not be surprised, and surely that if they have to follow it
through from start to finish. Less if say maintaining devs are
responsible for addressing their vulnerable package, and not leaving it
up to others like security team. All must do their parts to get things
done in a timely manner.
> Now, take that process and multiply it by the number of -sources in
> the tree and you can start to get an idea for how much time it takes
> to issue kernel updates.
Kernel issues must be a nightmare for the security team.
> So, again, #gentoo-security is where you can start being part of the solution.
If I had the time I would go join and help. As is, already quite over
committed :)
--
William L. Thomson Jr.
Gentoo/Java
|
| Attachment: |
|
signature.asc (This is a digitally signed message part)
|
|
