Gentoo Archives: gentoo-dev

From: Grant Goodyear <g2boojum@g.o>
To: gentoo-dev@g.o
Subject: Re: [gentoo-dev] GLEP 14 follow-up / security project
Date: Tue, 23 Sep 2003 15:23:33
In Reply to: [gentoo-dev] GLEP 14 follow-up / security project by Marius Mauch
1 I'm glad to see this project underway. I do have a couple of questions,
2 though.
4 > Security bugs should be kept in bugzilla,
6 What's the rationale for keeping GLSA's in bugzilla, since bugzilla is
7 going to have to be hacked to make it work?
9 > The actual filing and editing of these bugs should be done with a new
10 > interface that is specially designed for security bugs and GLSA
11 > information. Once a security bug is marked as fixed a GLSA generation
12 > script is run that generates the GLSA, GPG-signs it (depending on
13 > policy) and distributes it on mailing lists, http- and rsync-servers.
15 Where is this script run? If it's on a gentoo server, then I don't
16 really like the idea of the script signing the GLSA. Perhaps I'm just
17 being paranoid, but I would really prefer the signing to be performed by
18 the user issuing the GLSA. If, on the other hand, there is a GLSA tool
19 that devs can run on their own machines that assists the dev in creating
20 the GLSA, then signs the GLSA and uploads it to the appropriate
21 location, that would be just fine with me.
23 > The update script then can take the GLSAs from /usr/portage/glsa or the
24 > http repository (to avoid unneeded syncs just to get the GLSA).
26 Drobbins has said that he would prefer the update script to be
27 incorporated into emerge as soon as possible. I get the impression from
28 Carpaski that we can, indeed, do that.
30 Nice job!
31 -g2boojum-
32 --
33 Grant Goodyear <g2boojum@g.o>


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-dev] GLEP 14 follow-up / security project Marius Mauch <genone@g.o>