Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Paul de Vrieze <pauldv@g.o>
To: gentoo-dev@g.o
Subject: Re: [gentoo-dev] GLEP #14: security updates based on GLSA
Date: Fri, 22 Aug 2003 20:19:19
Message-Id: 200308222219.11859.pauldv@gentoo.org
In Reply to: Re: [gentoo-dev] GLEP #14: security updates based on GLSA by Karsten Schulz
1 On Friday 22 August 2003 21:50, Karsten Schulz wrote:
2 > Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch:
3 > > Everything in the GLEP is open for discussion, please share your
4 > > questions/comments/concerns with the other people on this list
5 >
6 > just a few suggestions from me:
7 > I would remove the 'severity' attribute from the dtd. It depends on your
8 > local configuration wether a software bug is critical for your systems
9 > or not. Btw. who will explain the difference between 'high' and
10 > 'critical'. On my systems 'high' *is* 'critical'.
11 > A GLSA is per se important and needs attention, imho there is no need to
12 > differentiate it further, and every admin has to decide for himself
13 > respectively.
14
15 Maybe a bug classification could be used like:
16 (local exploit, remote exploit, denial of service, local denial of service)
17
18 >
19 > My last point: The last few weeks, there were no new GLSAs, but some
20 > security related discussions elsewhere (unzip, gdm, XDMCP and others).
21 > There were no statements or GLSAs from Gentoo about such stories. It
22 > would be nice to have some kind of feedback, that the security team is
23 > aware of current problems. I would like to see GLSAs in a regular
24 > schedule, with status reports, which exploits, bugs and incidents are
25 > currently under examination. Imho GLSAs must not provide bugfixes in
26 > every case, they can provide only information, too. So the element
27 > 'fixed' in the dtd should allow the value 'none', when it is important,
28 > that Gentoo users get security related information without providing a
29 > solution in form of a software update.
30
31 If you want to make sure a point is not missed by the security team, post a
32 bug on bugs.gentoo.org and make sure you make clear it is a security bug.
33
34 Paul
35
36 --
37 Paul de Vrieze
38 Gentoo Developer
39 Mail: pauldv@g.o
40 Homepage: http://www.devrieze.net

Replies

Subject Author
Re: [gentoo-dev] GLEP #14: security updates based on GLSA Karsten Schulz <kaschu@×××××××××.de>
Report Message
Find on MARC Find on Google Groups