1 |
El mar, 30-09-2014 a las 13:47 +0400, Sergey Popov escribió: |
2 |
[...] |
3 |
> I think you are get some things wrong - they are masked not instead of |
4 |
> GLSA, but prior to it. |
5 |
> |
6 |
> Let me explain the process on behalf on my security hat - before |
7 |
> releasing GLSA we should rid of all vulnerable versions in tree. |
8 |
> However, sometimes it leads to problems with migration on new |
9 |
> versions(usually happens with complex packages, for example OpenLDAP). |
10 |
> So, to mark that some versions are really not for ordinary users we can |
11 |
> security mask them. After that - we do not need to remove them, just |
12 |
> keep an eye that they would not be unmasked. The next step for these |
13 |
> versions is only to be removed from tree, after all issues with |
14 |
> dependant packages will be fixed. |
15 |
> |
16 |
> And then - we can proceed with making GLSA. Masking of package does not |
17 |
> replace making GLSA and never was! |
18 |
> |
19 |
> If you are claim that GLSA making process is too slow, well... We have |
20 |
> vast amount of security issues and not many people who handles them, so |
21 |
> - here we are... |
22 |
> |
23 |
> As for ppp, i masked it, because there are some packages in tree that |
24 |
> hardcodes usage for specific versions of ppp and they should be patched |
25 |
> BEFORE vulnerable versions of ppp will leave tree. |
26 |
> |
27 |
> I want to notice, that such practice was established a long time ago, |
28 |
> from the very beginning of Gentoo Security team and i do not think that |
29 |
> we should change something in it |
30 |
> |
31 |
|
32 |
Only a question: why GLSAs aren't released until the vulnerable version |
33 |
is not dropped? Wouldn't be better for people relying on GLSAs to get |
34 |
the glsa as soon as they can install the fixed version (I mean, when |
35 |
that version is stabilized)? |
36 |
|
37 |
Thanks for the info :) |