| 1 |
Hi Thierry, |
| 2 |
|
| 3 |
On Tue, 2004-05-18 at 22:05, Thierry Carrez wrote: |
| 4 |
> Hello everyone, |
| 5 |
> |
| 6 |
> We're in the process of publishing Gentoo Official Policy for the |
| 7 |
> treatment of vulnerabilities. You can review the latest draft at the |
| 8 |
> following location : |
| 9 |
> |
| 10 |
> http://dev.gentoo.org/~koon/docs/vulnerability-policy.html |
| 11 |
> |
| 12 |
> Comments welcome. |
| 13 |
|
| 14 |
|
| 15 |
"Confidential vulnerabilities |
| 16 |
|
| 17 |
Confidential vulnerabilities (for example coming from developer's direct |
| 18 |
communication or restricted vendor-sec lists) should follow a specific |
| 19 |
procedure. They should not appear as a public bugzilla entry, but only |
| 20 |
in the (private) GLSAMaker tool. They should get corrected using private |
| 21 |
communication channels between the GLSA coordinator and the package |
| 22 |
maintainer." |
| 23 |
|
| 24 |
What's this about? I can't imagine what a "confidential vulnerability" |
| 25 |
might be. This immediately prompts for "security by obscurity" remark, |
| 26 |
don't you think? |
| 27 |
|
| 28 |
Otherwise very good work. |
| 29 |
|
| 30 |
I'm back in the game by the way. I had to wait about 4 weeks until my |
| 31 |
replacement drive came in after my fatal crash and I have now a machine |
| 32 |
with Gentoo again. Thank God ;-) |
| 33 |
|
| 34 |
I am going to buy another spare hard drive with another installation on |
| 35 |
it so my machine won't fail on me in the future with these consequences. |
| 36 |
Though I have to admit that a few weeks with less computer usage have |
| 37 |
really been worthwhile ;-) |
| 38 |
|
| 39 |
I have started monitoring full-disclosure and bugtraq again, already |
| 40 |
commencing entering bugs into bugzilla. |
| 41 |
|
| 42 |
Mandrake has a nice link collection: |
| 43 |
|
| 44 |
http://www.mandrakesecure.net/en/secsites.php |
| 45 |
|
| 46 |
These would be good candidates to skim through too. Add the |
| 47 |
announcements of all the other big distributions and that should cover a |
| 48 |
great deal of relevant channels. |
| 49 |
|
| 50 |
regards, |
| 51 |
Tobias W. |
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
-- |
| 56 |
gentoo-security@g.o mailing list |
Archives