Gentoo Archives: gentoo-project

From: Yury German <blueknight@g.o>
To: gentoo-project@l.g.o
Cc: Gentoo Security <security@g.o>
Subject: Re: [gentoo-project] RFC: Making GLSAs useful for security
Date: Thu, 15 Dec 2016 22:21:01
Message-Id: 7DB37FAA-EF6D-4B86-8082-CA33081A7EBE@gentoo.org
In Reply to: Re: [gentoo-project] RFC: Making GLSAs useful for security by Rich Freeman
1 > On Dec 15, 2016, at 4:58 PM, Rich Freeman <rich0@g.o> wrote:
2 > You could send it out when the stablereq goes out. Then you know what
3 > the stable target is. Presumably any newer version would also contain
4 > the fix if for some reason it gets revbumped.
5 >
6 > It probably wouldn't hurt to send out a notice at the end of the
7 > deadline based upon the severity of the issue just to let people know
8 > they're vulnerable. That is, if a vulnerability normally has a 3 day
9 > target, then delay sending a notice until there is a stable request,
10 > or until 3 days elapse, whichever comes first.
11
12 Then before we do this we need to understand if the Arch teams looks at the severity of a security bug and stabilizes the higher severity bugs first. Now I am not part of the arch team I have no idea if internally there is a process for stabilizing security bugs that have a higher rating [{A1,C0} = 3 Day, {A2,B1,C1}=5 Days, {A3,B2,C2}=10 Days] based on priority of the security bug and putting them ahead of standard stabilization on behalf of our users.
13
14 Input from the Arch teams would be great here to find out if Security privatization is done on stabilization or is it “first come, first server”. etc.
15
16 On a side note the security team could use more members as part of the security project to help with the GLSA releases.
17
18 Thank you,
19 BlueKnight