1 |
I'm glad to see this project underway. I do have a couple of questions, |
2 |
though. |
3 |
|
4 |
> Security bugs should be kept in bugzilla, |
5 |
|
6 |
What's the rationale for keeping GLSA's in bugzilla, since bugzilla is |
7 |
going to have to be hacked to make it work? |
8 |
|
9 |
> The actual filing and editing of these bugs should be done with a new |
10 |
> interface that is specially designed for security bugs and GLSA |
11 |
> information. Once a security bug is marked as fixed a GLSA generation |
12 |
> script is run that generates the GLSA, GPG-signs it (depending on |
13 |
> policy) and distributes it on mailing lists, http- and rsync-servers. |
14 |
|
15 |
Where is this script run? If it's on a gentoo server, then I don't |
16 |
really like the idea of the script signing the GLSA. Perhaps I'm just |
17 |
being paranoid, but I would really prefer the signing to be performed by |
18 |
the user issuing the GLSA. If, on the other hand, there is a GLSA tool |
19 |
that devs can run on their own machines that assists the dev in creating |
20 |
the GLSA, then signs the GLSA and uploads it to the appropriate |
21 |
location, that would be just fine with me. |
22 |
|
23 |
> The update script then can take the GLSAs from /usr/portage/glsa or the |
24 |
> http repository (to avoid unneeded syncs just to get the GLSA). |
25 |
|
26 |
Drobbins has said that he would prefer the update script to be |
27 |
incorporated into emerge as soon as possible. I get the impression from |
28 |
Carpaski that we can, indeed, do that. |
29 |
|
30 |
Nice job! |
31 |
-g2boojum- |
32 |
-- |
33 |
Grant Goodyear <g2boojum@g.o> |