| 1 |
On Sat, 17 Dec 2016 01:13:55 +0000 |
| 2 |
"M. J. Everitt" <m.j.everitt@×××.org> wrote: |
| 3 |
|
| 4 |
> Picking a rather random post to chip in on, but here we go with my |
| 5 |
> thoughts... |
| 6 |
> |
| 7 |
> How about once we identify a [triaged] security issue, it gets assigned |
| 8 |
> a GLSA there and then, and a templated email gets sent out to notify |
| 9 |
> users of the vulnerability and the priority assigned to it internally. |
| 10 |
> You could also tag a bugzilla reference, for users to track progress in |
| 11 |
> between identification and resolution. Then, you should be able to meet |
| 12 |
> your published policy by pushing out some information to users, and |
| 13 |
> especially sysadmins, so they are informed, and can choose for |
| 14 |
> themselves what actions they feel appropriate to take in the first |
| 15 |
> instance (eg. mitigation until resolution is found). |
| 16 |
> |
| 17 |
> Then, post a 'FIXED' message referencing again the GLSA and bug ref. to |
| 18 |
> indicate the 'preferred' resolution, any appropriate package updates, |
| 19 |
> etc. once this has been tested/stabilised/etc. to allow for manpower |
| 20 |
> issues and anything else that could be considered 'beyond reasonable |
| 21 |
> control' from the Gentoo angle. Yes, so you get double the "spam", but |
| 22 |
> since security issues are relatively infrequent (vs. -dev bikeshedding, |
| 23 |
> etc) I don't honestly think that the burden of early vs. late |
| 24 |
> notification against extra email messages to be kept informed would be a |
| 25 |
> problem for most people appropriately concerned. |
| 26 |
|
| 27 |
Or you could have different streams for different grades of GLSA ( ie: |
| 28 |
weak advisory ones that aren't qualified with exploits, vs ones that |
| 29 |
are detailed strong avisories where people know the full extent of the issue) |
| 30 |
|
| 31 |
That way you, in following with gentoo principles, allow the user to decide |
| 32 |
what they care about the most and opt in to which of these they receive. |
Archives