| 1 |
I'm glad to see this project underway. I do have a couple of questions, |
| 2 |
though. |
| 3 |
|
| 4 |
> Security bugs should be kept in bugzilla, |
| 5 |
|
| 6 |
What's the rationale for keeping GLSA's in bugzilla, since bugzilla is |
| 7 |
going to have to be hacked to make it work? |
| 8 |
|
| 9 |
> The actual filing and editing of these bugs should be done with a new |
| 10 |
> interface that is specially designed for security bugs and GLSA |
| 11 |
> information. Once a security bug is marked as fixed a GLSA generation |
| 12 |
> script is run that generates the GLSA, GPG-signs it (depending on |
| 13 |
> policy) and distributes it on mailing lists, http- and rsync-servers. |
| 14 |
|
| 15 |
Where is this script run? If it's on a gentoo server, then I don't |
| 16 |
really like the idea of the script signing the GLSA. Perhaps I'm just |
| 17 |
being paranoid, but I would really prefer the signing to be performed by |
| 18 |
the user issuing the GLSA. If, on the other hand, there is a GLSA tool |
| 19 |
that devs can run on their own machines that assists the dev in creating |
| 20 |
the GLSA, then signs the GLSA and uploads it to the appropriate |
| 21 |
location, that would be just fine with me. |
| 22 |
|
| 23 |
> The update script then can take the GLSAs from /usr/portage/glsa or the |
| 24 |
> http repository (to avoid unneeded syncs just to get the GLSA). |
| 25 |
|
| 26 |
Drobbins has said that he would prefer the update script to be |
| 27 |
incorporated into emerge as soon as possible. I get the impression from |
| 28 |
Carpaski that we can, indeed, do that. |
| 29 |
|
| 30 |
Nice job! |
| 31 |
-g2boojum- |
| 32 |
-- |
| 33 |
Grant Goodyear <g2boojum@g.o> |
Archives