1 |
Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: |
2 |
> Everything in the GLEP is open for discussion, please share your |
3 |
> questions/comments/concerns with the other people on this list |
4 |
|
5 |
just a few suggestions from me: |
6 |
I would remove the 'severity' attribute from the dtd. It depends on your |
7 |
local configuration wether a software bug is critical for your systems |
8 |
or not. Btw. who will explain the difference between 'high' and |
9 |
'critical'. On my systems 'high' *is* 'critical'. |
10 |
A GLSA is per se important and needs attention, imho there is no need to |
11 |
differentiate it further, and every admin has to decide for himself |
12 |
respectively. |
13 |
|
14 |
For admin's convinience, I would like to have an optional URL element, |
15 |
which can contain a location, where the bug is discussed (in addition |
16 |
to the CVE, which is not available in every case). The URL could point |
17 |
to the mailinglist of the program developers or other serious sources |
18 |
like security lists. This would just help the admin to get more |
19 |
information about the bug. |
20 |
|
21 |
I would like to second Calebs suggestion to sign GLSAs. Besides there is |
22 |
need for a central Security page at www.gentoo.org, where users and |
23 |
admins get some hints how the security related communication works (Who |
24 |
creates and checks GLSAs, which public keys are used, a.s.o.) |
25 |
|
26 |
My last point: The last few weeks, there were no new GLSAs, but some |
27 |
security related discussions elsewhere (unzip, gdm, XDMCP and others). |
28 |
There were no statements or GLSAs from Gentoo about such stories. It |
29 |
would be nice to have some kind of feedback, that the security team is |
30 |
aware of current problems. I would like to see GLSAs in a regular |
31 |
schedule, with status reports, which exploits, bugs and incidents are |
32 |
currently under examination. Imho GLSAs must not provide bugfixes in |
33 |
every case, they can provide only information, too. So the element |
34 |
'fixed' in the dtd should allow the value 'none', when it is important, |
35 |
that Gentoo users get security related information without providing a |
36 |
solution in form of a software update. |
37 |
|
38 |
that's all for the moment, |
39 |
Karsten |
40 |
|
41 |
|
42 |
|
43 |
|
44 |
-- |
45 |
gentoo-dev@g.o mailing list |