1 |
On Sat, 17 Dec 2016 01:13:55 +0000 |
2 |
"M. J. Everitt" <m.j.everitt@×××.org> wrote: |
3 |
|
4 |
> Picking a rather random post to chip in on, but here we go with my |
5 |
> thoughts... |
6 |
> |
7 |
> How about once we identify a [triaged] security issue, it gets assigned |
8 |
> a GLSA there and then, and a templated email gets sent out to notify |
9 |
> users of the vulnerability and the priority assigned to it internally. |
10 |
> You could also tag a bugzilla reference, for users to track progress in |
11 |
> between identification and resolution. Then, you should be able to meet |
12 |
> your published policy by pushing out some information to users, and |
13 |
> especially sysadmins, so they are informed, and can choose for |
14 |
> themselves what actions they feel appropriate to take in the first |
15 |
> instance (eg. mitigation until resolution is found). |
16 |
> |
17 |
> Then, post a 'FIXED' message referencing again the GLSA and bug ref. to |
18 |
> indicate the 'preferred' resolution, any appropriate package updates, |
19 |
> etc. once this has been tested/stabilised/etc. to allow for manpower |
20 |
> issues and anything else that could be considered 'beyond reasonable |
21 |
> control' from the Gentoo angle. Yes, so you get double the "spam", but |
22 |
> since security issues are relatively infrequent (vs. -dev bikeshedding, |
23 |
> etc) I don't honestly think that the burden of early vs. late |
24 |
> notification against extra email messages to be kept informed would be a |
25 |
> problem for most people appropriately concerned. |
26 |
|
27 |
Or you could have different streams for different grades of GLSA ( ie: |
28 |
weak advisory ones that aren't qualified with exploits, vs ones that |
29 |
are detailed strong avisories where people know the full extent of the issue) |
30 |
|
31 |
That way you, in following with gentoo principles, allow the user to decide |
32 |
what they care about the most and opt in to which of these they receive. |