| 1 |
On Fri, 22 Aug 2003 21:50:15 +0200 |
| 2 |
Karsten Schulz <kaschu@×××××××××.de> wrote: |
| 3 |
|
| 4 |
> Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: |
| 5 |
> > Everything in the GLEP is open for discussion, please share your |
| 6 |
> > questions/comments/concerns with the other people on this list |
| 7 |
> |
| 8 |
> just a few suggestions from me: |
| 9 |
> I would remove the 'severity' attribute from the dtd. It depends on |
| 10 |
> your local configuration wether a software bug is critical for your |
| 11 |
> systems or not. Btw. who will explain the difference between 'high' |
| 12 |
> and 'critical'. On my systems 'high' *is* 'critical'. |
| 13 |
> A GLSA is per se important and needs attention, imho there is no need |
| 14 |
> to differentiate it further, and every admin has to decide for himself |
| 15 |
> respectively. |
| 16 |
|
| 17 |
Well, I've taken that from the existing GLSA format, it is currently not |
| 18 |
used by my code. I've no real opinion on that, someone from the security |
| 19 |
team (aliz, solar ?) should decide that. |
| 20 |
|
| 21 |
> For admin's convinience, I would like to have an optional URL element, |
| 22 |
> which can contain a location, where the bug is discussed (in addition |
| 23 |
> to the CVE, which is not available in every case). The URL could point |
| 24 |
> to the mailinglist of the program developers or other serious sources |
| 25 |
> like security lists. This would just help the admin to get more |
| 26 |
> information about the bug. |
| 27 |
|
| 28 |
Might be useful, any objections to include that information? |
| 29 |
|
| 30 |
> I would like to second Calebs suggestion to sign GLSAs. Besides there |
| 31 |
> is need for a central Security page at www.gentoo.org, where users and |
| 32 |
> admins get some hints how the security related communication works |
| 33 |
> (Who creates and checks GLSAs, which public keys are used, a.s.o.) |
| 34 |
|
| 35 |
Well, I think that's outside of the scope of this GLEP. |
| 36 |
|
| 37 |
> My last point: The last few weeks, there were no new GLSAs, but some |
| 38 |
> security related discussions elsewhere (unzip, gdm, XDMCP and others). |
| 39 |
> There were no statements or GLSAs from Gentoo about such stories. It |
| 40 |
> would be nice to have some kind of feedback, that the security team is |
| 41 |
> aware of current problems. I would like to see GLSAs in a regular |
| 42 |
> schedule, with status reports, which exploits, bugs and incidents are |
| 43 |
> currently under examination. Imho GLSAs must not provide bugfixes in |
| 44 |
> every case, they can provide only information, too. So the element |
| 45 |
> 'fixed' in the dtd should allow the value 'none', when it is |
| 46 |
> important, that Gentoo users get security related information without |
| 47 |
> providing a solution in form of a software update. |
| 48 |
|
| 49 |
I don't like the idea of GLSAs being used for that, a simple status |
| 50 |
update email on gentoo-security should do the job (again, that's |
| 51 |
outside the scope of this GLEP). |
| 52 |
The DTD does not require the <fixed> tag to contain a <version> tag, so |
| 53 |
the special value none is not necessary. |
| 54 |
|
| 55 |
Marius |
| 56 |
|
| 57 |
-- |
| 58 |
gentoo-dev@g.o mailing list |
Archives