1 |
On Friday 22 August 2003 21:50, Karsten Schulz wrote: |
2 |
> Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: |
3 |
> > Everything in the GLEP is open for discussion, please share your |
4 |
> > questions/comments/concerns with the other people on this list |
5 |
> |
6 |
> just a few suggestions from me: |
7 |
> I would remove the 'severity' attribute from the dtd. It depends on your |
8 |
> local configuration wether a software bug is critical for your systems |
9 |
> or not. Btw. who will explain the difference between 'high' and |
10 |
> 'critical'. On my systems 'high' *is* 'critical'. |
11 |
> A GLSA is per se important and needs attention, imho there is no need to |
12 |
> differentiate it further, and every admin has to decide for himself |
13 |
> respectively. |
14 |
|
15 |
Maybe a bug classification could be used like: |
16 |
(local exploit, remote exploit, denial of service, local denial of service) |
17 |
|
18 |
> |
19 |
> My last point: The last few weeks, there were no new GLSAs, but some |
20 |
> security related discussions elsewhere (unzip, gdm, XDMCP and others). |
21 |
> There were no statements or GLSAs from Gentoo about such stories. It |
22 |
> would be nice to have some kind of feedback, that the security team is |
23 |
> aware of current problems. I would like to see GLSAs in a regular |
24 |
> schedule, with status reports, which exploits, bugs and incidents are |
25 |
> currently under examination. Imho GLSAs must not provide bugfixes in |
26 |
> every case, they can provide only information, too. So the element |
27 |
> 'fixed' in the dtd should allow the value 'none', when it is important, |
28 |
> that Gentoo users get security related information without providing a |
29 |
> solution in form of a software update. |
30 |
|
31 |
If you want to make sure a point is not missed by the security team, post a |
32 |
bug on bugs.gentoo.org and make sure you make clear it is a security bug. |
33 |
|
34 |
Paul |
35 |
|
36 |
-- |
37 |
Paul de Vrieze |
38 |
Gentoo Developer |
39 |
Mail: pauldv@g.o |
40 |
Homepage: http://www.devrieze.net |