1 |
On Fri, 22 Aug 2003 21:50:15 +0200 |
2 |
Karsten Schulz <kaschu@×××××××××.de> wrote: |
3 |
|
4 |
> Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: |
5 |
> > Everything in the GLEP is open for discussion, please share your |
6 |
> > questions/comments/concerns with the other people on this list |
7 |
> |
8 |
> just a few suggestions from me: |
9 |
> I would remove the 'severity' attribute from the dtd. It depends on |
10 |
> your local configuration wether a software bug is critical for your |
11 |
> systems or not. Btw. who will explain the difference between 'high' |
12 |
> and 'critical'. On my systems 'high' *is* 'critical'. |
13 |
> A GLSA is per se important and needs attention, imho there is no need |
14 |
> to differentiate it further, and every admin has to decide for himself |
15 |
> respectively. |
16 |
|
17 |
Well, I've taken that from the existing GLSA format, it is currently not |
18 |
used by my code. I've no real opinion on that, someone from the security |
19 |
team (aliz, solar ?) should decide that. |
20 |
|
21 |
> For admin's convinience, I would like to have an optional URL element, |
22 |
> which can contain a location, where the bug is discussed (in addition |
23 |
> to the CVE, which is not available in every case). The URL could point |
24 |
> to the mailinglist of the program developers or other serious sources |
25 |
> like security lists. This would just help the admin to get more |
26 |
> information about the bug. |
27 |
|
28 |
Might be useful, any objections to include that information? |
29 |
|
30 |
> I would like to second Calebs suggestion to sign GLSAs. Besides there |
31 |
> is need for a central Security page at www.gentoo.org, where users and |
32 |
> admins get some hints how the security related communication works |
33 |
> (Who creates and checks GLSAs, which public keys are used, a.s.o.) |
34 |
|
35 |
Well, I think that's outside of the scope of this GLEP. |
36 |
|
37 |
> My last point: The last few weeks, there were no new GLSAs, but some |
38 |
> security related discussions elsewhere (unzip, gdm, XDMCP and others). |
39 |
> There were no statements or GLSAs from Gentoo about such stories. It |
40 |
> would be nice to have some kind of feedback, that the security team is |
41 |
> aware of current problems. I would like to see GLSAs in a regular |
42 |
> schedule, with status reports, which exploits, bugs and incidents are |
43 |
> currently under examination. Imho GLSAs must not provide bugfixes in |
44 |
> every case, they can provide only information, too. So the element |
45 |
> 'fixed' in the dtd should allow the value 'none', when it is |
46 |
> important, that Gentoo users get security related information without |
47 |
> providing a solution in form of a software update. |
48 |
|
49 |
I don't like the idea of GLSAs being used for that, a simple status |
50 |
update email on gentoo-security should do the job (again, that's |
51 |
outside the scope of this GLEP). |
52 |
The DTD does not require the <fixed> tag to contain a <version> tag, so |
53 |
the special value none is not necessary. |
54 |
|
55 |
Marius |
56 |
|
57 |
-- |
58 |
gentoo-dev@g.o mailing list |