1 |
I'm short on time so here's a quick answer to your questions. |
2 |
|
3 |
On Thursday 11 November 2004 09:41, Chris Haumesser wrote: |
4 |
<snip> |
5 |
> Is there a written policy for determining what issues warrant the |
6 |
> issuance of a GLSA? If so, where? If not, should there be? |
7 |
|
8 |
http://security.gentoo.org should provide you with the pointers requested. |
9 |
|
10 |
> What does the gentoo developer handbook have to say about security? |
11 |
> Should it address the security expectations we have of software developers? |
12 |
|
13 |
I would say yes, but noone has done it yet. |
14 |
|
15 |
> To what extent should the community be involved in managing security |
16 |
> issues? What mechanisms exist for this? Should there be a more |
17 |
> streamlined way for users to see what the status of current security |
18 |
> efforts is? |
19 |
|
20 |
As with most of the development process there is http://bugs.gentoo.org. |
21 |
|
22 |
But I'm all ears for other proposals, we love contributions. |
23 |
|
24 |
> Is there a set of criteria we can agree on that might aid us in |
25 |
> assessing the severity of a threat and need for a fix, in a way that is |
26 |
> reasonable and fair? How are potential threats currently assessed? |
27 |
|
28 |
See Vulnerability Policy on the above page. |
29 |
|
30 |
> What should someone do if they think a serious problem is being |
31 |
> overlooked or actively ignored? Is there a way to set up some |
32 |
> protocols/procedures that might avoid this kind of flame war in the future? |
33 |
|
34 |
File a security bug at http://bugs.gentoo.org |
35 |
|
36 |
> |
37 |
> I hope no one sees this as trolling. I'm not trying to start another |
38 |
> flame war, but I think these are all fundamental, legitimate questions |
39 |
> raised by this thread. Where exactly _does_ the gentoo project stand on |
40 |
> security? And how do I find out? This is a key piece of missing |
41 |
> perspective. |
42 |
http://www.gentoo.org -> Security Announcements |
43 |
|
44 |
-- |
45 |
Sune Kloppenborg Jeppesen (Jaervosz) |
46 |
Operational Manager |
47 |
Gentoo Linux Security Team |