1 |
> On Dec 15, 2016, at 4:58 PM, Rich Freeman <rich0@g.o> wrote: |
2 |
> You could send it out when the stablereq goes out. Then you know what |
3 |
> the stable target is. Presumably any newer version would also contain |
4 |
> the fix if for some reason it gets revbumped. |
5 |
> |
6 |
> It probably wouldn't hurt to send out a notice at the end of the |
7 |
> deadline based upon the severity of the issue just to let people know |
8 |
> they're vulnerable. That is, if a vulnerability normally has a 3 day |
9 |
> target, then delay sending a notice until there is a stable request, |
10 |
> or until 3 days elapse, whichever comes first. |
11 |
|
12 |
Then before we do this we need to understand if the Arch teams looks at the severity of a security bug and stabilizes the higher severity bugs first. Now I am not part of the arch team I have no idea if internally there is a process for stabilizing security bugs that have a higher rating [{A1,C0} = 3 Day, {A2,B1,C1}=5 Days, {A3,B2,C2}=10 Days] based on priority of the security bug and putting them ahead of standard stabilization on behalf of our users. |
13 |
|
14 |
Input from the Arch teams would be great here to find out if Security privatization is done on stabilization or is it “first come, first server”. etc. |
15 |
|
16 |
On a side note the security team could use more members as part of the security project to help with the GLSA releases. |
17 |
|
18 |
Thank you, |
19 |
BlueKnight |