Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-security@g.o
From: "William L. Thomson Jr." <wltjr@g.o>
Subject: Re: Days of yore
Date: Mon, 16 Apr 2007 10:05:22 -0400
On Mon, 2007-04-16 at 08:32 -0500, Kurt Lieber wrote:
> On 4/16/07, Calum <caluml@...> wrote:
> > But the infrastructure is already in place for GLSA's.
> 
> You have to chase
> security people down to draft the GLSA.  You have to chase more
> security people down to peer review the GLSA.

In my limited experience with vulnerabilities in packages I maintain.
The problem or delays seem to be with the last two steps listed. Not to
simplify them by any means, or the preceding steps.

http://bugs.gentoo.org/show_bug.cgi?id=173122
http://bugs.gentoo.org/show_bug.cgi?id=169433

Not to mention in my case upstream had already acted or etc, so no
patching or etc was needed on my behalf. Just bumps and stabilization if
anything.

> I don't know that we've ever formally quantified how much time an
> average GLSA takes, but my  semi-educated guess would be in the
> neighborhood of 10 hours per package.

I would not be surprised, and surely that if they have to follow it
through from start to finish. Less if say maintaining devs are
responsible for addressing their vulnerable package, and not leaving it
up to others like security team. All must do their parts  to get things
done in a timely manner.

> Now, take that process and multiply it by the number of -sources in
> the tree and you can start to get an idea for how much time it takes
> to issue kernel updates.

Kernel issues must be a nightmare for the security team.

> So, again, #gentoo-security is where you can start being part of the solution.

If I had the time I would go join and help. As is, already quite over
committed :)

-- 
William L. Thomson Jr.
Gentoo/Java
Attachment:
signature.asc (This is a digitally signed message part)
Replies:
Re: Days of yore
-- Sune Kloppenborg Jeppesen
References:
Days of yore
-- Calum
Re: Days of yore
-- Lars Hartman
Re: Days of yore
-- Kurt Lieber
Re: Days of yore
-- Calum
Re: Days of yore
-- Kurt Lieber
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Days of yore
Next by thread:
Re: Days of yore
Previous by date:
Re: Days of yore
Next by date:
Re: Days of yore


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.