| 1 |
Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: |
| 2 |
> Everything in the GLEP is open for discussion, please share your |
| 3 |
> questions/comments/concerns with the other people on this list |
| 4 |
|
| 5 |
just a few suggestions from me: |
| 6 |
I would remove the 'severity' attribute from the dtd. It depends on your |
| 7 |
local configuration wether a software bug is critical for your systems |
| 8 |
or not. Btw. who will explain the difference between 'high' and |
| 9 |
'critical'. On my systems 'high' *is* 'critical'. |
| 10 |
A GLSA is per se important and needs attention, imho there is no need to |
| 11 |
differentiate it further, and every admin has to decide for himself |
| 12 |
respectively. |
| 13 |
|
| 14 |
For admin's convinience, I would like to have an optional URL element, |
| 15 |
which can contain a location, where the bug is discussed (in addition |
| 16 |
to the CVE, which is not available in every case). The URL could point |
| 17 |
to the mailinglist of the program developers or other serious sources |
| 18 |
like security lists. This would just help the admin to get more |
| 19 |
information about the bug. |
| 20 |
|
| 21 |
I would like to second Calebs suggestion to sign GLSAs. Besides there is |
| 22 |
need for a central Security page at www.gentoo.org, where users and |
| 23 |
admins get some hints how the security related communication works (Who |
| 24 |
creates and checks GLSAs, which public keys are used, a.s.o.) |
| 25 |
|
| 26 |
My last point: The last few weeks, there were no new GLSAs, but some |
| 27 |
security related discussions elsewhere (unzip, gdm, XDMCP and others). |
| 28 |
There were no statements or GLSAs from Gentoo about such stories. It |
| 29 |
would be nice to have some kind of feedback, that the security team is |
| 30 |
aware of current problems. I would like to see GLSAs in a regular |
| 31 |
schedule, with status reports, which exploits, bugs and incidents are |
| 32 |
currently under examination. Imho GLSAs must not provide bugfixes in |
| 33 |
every case, they can provide only information, too. So the element |
| 34 |
'fixed' in the dtd should allow the value 'none', when it is important, |
| 35 |
that Gentoo users get security related information without providing a |
| 36 |
solution in form of a software update. |
| 37 |
|
| 38 |
that's all for the moment, |
| 39 |
Karsten |
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-dev@g.o mailing list |
Archives