| 1 |
On 09/23/03 Grant Goodyear wrote: |
| 2 |
|
| 3 |
> I'm glad to see this project underway. I do have a couple of |
| 4 |
> questions, though. |
| 5 |
> |
| 6 |
> > Security bugs should be kept in bugzilla, |
| 7 |
> |
| 8 |
> What's the rationale for keeping GLSA's in bugzilla, since bugzilla is |
| 9 |
> going to have to be hacked to make it work? |
| 10 |
|
| 11 |
As other people are also against this we should drop it. I just picked |
| 12 |
that up from the previous discussion in #gentoo-security. So we make a |
| 13 |
separate tracking system, not sure if it will be easier or harder to do, |
| 14 |
but definitely a cleaner approach. |
| 15 |
|
| 16 |
> > The actual filing and editing of these bugs should be done with a |
| 17 |
> > new interface that is specially designed for security bugs and GLSA |
| 18 |
> > information. Once a security bug is marked as fixed a GLSA |
| 19 |
> > generation script is run that generates the GLSA, GPG-signs it |
| 20 |
> > (depending on policy) and distributes it on mailing lists, http- and |
| 21 |
> > rsync-servers. |
| 22 |
> |
| 23 |
> Where is this script run? If it's on a gentoo server, then I don't |
| 24 |
> really like the idea of the script signing the GLSA. Perhaps I'm just |
| 25 |
> being paranoid, but I would really prefer the signing to be performed |
| 26 |
> by the user issuing the GLSA. If, on the other hand, there is a GLSA |
| 27 |
> tool that devs can run on their own machines that assists the dev in |
| 28 |
> creating the GLSA, then signs the GLSA and uploads it to the |
| 29 |
> appropriate location, that would be just fine with me. |
| 30 |
|
| 31 |
This should be decided by the security project, there are other people |
| 32 |
who can comment/decide that better than me. |
| 33 |
|
| 34 |
> > The update script then can take the GLSAs from /usr/portage/glsa or |
| 35 |
> > the http repository (to avoid unneeded syncs just to get the GLSA). |
| 36 |
> |
| 37 |
> Drobbins has said that he would prefer the update script to be |
| 38 |
> incorporated into emerge as soon as possible. I get the impression |
| 39 |
> from Carpaski that we can, indeed, do that. |
| 40 |
|
| 41 |
I'm not against portage integration, but I'd rather want to finish and |
| 42 |
test the script and the GLSA framework before we put it into emerge. We |
| 43 |
wouldn't do anyone a favor if we put unfinished stuff in portage. The |
| 44 |
integration isn't that difficult, just adding some files to the portage |
| 45 |
tarball and changing a few calls to use portage functions instead of |
| 46 |
emerge / portageq. |
| 47 |
|
| 48 |
> Nice job! |
| 49 |
> -g2boojum- |
| 50 |
|
| 51 |
Thanks |
| 52 |
|
| 53 |
Marius |
| 54 |
|
| 55 |
-- |
| 56 |
Public Key at http://www.genone.de/info/gpg-key.pub |
| 57 |
|
| 58 |
In the beginning, there was nothing. And God said, 'Let there be |
| 59 |
Light.' And there was still nothing, but you could see a bit better. |
Archives