1 |
On 09/23/03 Grant Goodyear wrote: |
2 |
|
3 |
> I'm glad to see this project underway. I do have a couple of |
4 |
> questions, though. |
5 |
> |
6 |
> > Security bugs should be kept in bugzilla, |
7 |
> |
8 |
> What's the rationale for keeping GLSA's in bugzilla, since bugzilla is |
9 |
> going to have to be hacked to make it work? |
10 |
|
11 |
As other people are also against this we should drop it. I just picked |
12 |
that up from the previous discussion in #gentoo-security. So we make a |
13 |
separate tracking system, not sure if it will be easier or harder to do, |
14 |
but definitely a cleaner approach. |
15 |
|
16 |
> > The actual filing and editing of these bugs should be done with a |
17 |
> > new interface that is specially designed for security bugs and GLSA |
18 |
> > information. Once a security bug is marked as fixed a GLSA |
19 |
> > generation script is run that generates the GLSA, GPG-signs it |
20 |
> > (depending on policy) and distributes it on mailing lists, http- and |
21 |
> > rsync-servers. |
22 |
> |
23 |
> Where is this script run? If it's on a gentoo server, then I don't |
24 |
> really like the idea of the script signing the GLSA. Perhaps I'm just |
25 |
> being paranoid, but I would really prefer the signing to be performed |
26 |
> by the user issuing the GLSA. If, on the other hand, there is a GLSA |
27 |
> tool that devs can run on their own machines that assists the dev in |
28 |
> creating the GLSA, then signs the GLSA and uploads it to the |
29 |
> appropriate location, that would be just fine with me. |
30 |
|
31 |
This should be decided by the security project, there are other people |
32 |
who can comment/decide that better than me. |
33 |
|
34 |
> > The update script then can take the GLSAs from /usr/portage/glsa or |
35 |
> > the http repository (to avoid unneeded syncs just to get the GLSA). |
36 |
> |
37 |
> Drobbins has said that he would prefer the update script to be |
38 |
> incorporated into emerge as soon as possible. I get the impression |
39 |
> from Carpaski that we can, indeed, do that. |
40 |
|
41 |
I'm not against portage integration, but I'd rather want to finish and |
42 |
test the script and the GLSA framework before we put it into emerge. We |
43 |
wouldn't do anyone a favor if we put unfinished stuff in portage. The |
44 |
integration isn't that difficult, just adding some files to the portage |
45 |
tarball and changing a few calls to use portage functions instead of |
46 |
emerge / portageq. |
47 |
|
48 |
> Nice job! |
49 |
> -g2boojum- |
50 |
|
51 |
Thanks |
52 |
|
53 |
Marius |
54 |
|
55 |
-- |
56 |
Public Key at http://www.genone.de/info/gpg-key.pub |
57 |
|
58 |
In the beginning, there was nothing. And God said, 'Let there be |
59 |
Light.' And there was still nothing, but you could see a bit better. |