| 1 |
Kurt Lieber wrote: |
| 2 |
> We need folks to monitor bugzilla for security-related postings and then |
| 3 |
> push valid postings through the GLSA process. |
| 4 |
|
| 5 |
OK, so the process (and groups in charge) is : |
| 6 |
|
| 7 |
- Vulnerability is found, posted on specific software announce lists |
| 8 |
and/or general purpose security-lists) |
| 9 |
- User A that reads these groups posts a bugzilla entry |
| 10 |
- Developer/User B submits corrective ebuild on bugzilla |
| 11 |
- Developer C tests/inserts ebuild in official ~tree(s) |
| 12 |
- Developer D pushes ebuild in official stable tree(s) |
| 13 |
- SecurityGuy E writes a GLSA |
| 14 |
- SecurityChief F approves GLSA for posting |
| 15 |
|
| 16 |
Where is the shortage in manpower ? From what you say I deduce you need |
| 17 |
more of the "E" type, but are we sure there is not too much delay in the |
| 18 |
"B" "C" or "D" steps ? Should the "E" guy have authority to motivate the |
| 19 |
"C" and "D" guys ? |
| 20 |
|
| 21 |
I think I can help in the A and E steps, in software I follow for my own |
| 22 |
servers for example. |
| 23 |
|
| 24 |
> Kernel GLSAs are difficult because we can't release the GLSA until all our |
| 25 |
> kernels have been patched. |
| 26 |
|
| 27 |
That's because you want the GLSA to address the whole problems and not |
| 28 |
only parts of it. In the case of the latest kernel flaw, everyone had to |
| 29 |
wait 2 weeks for a GLSA while the corrected vanilla kernels were out the |
| 30 |
same day as vulnerability disclosure and most other corrected kernels |
| 31 |
were out two days after. |
| 32 |
|
| 33 |
Maybe we should consider releasing multiple GLSAs for the same problem. |
| 34 |
In the case of the latest kernel flaw, a GLSA describing a fix (using |
| 35 |
vanilla kernels) and a workaround (apply the following patch to your |
| 36 |
current kernel) could have been out very fast, and a second more |
| 37 |
comprehensive GLSA treating all other sources could have wait. This way |
| 38 |
everyone would have known of the problem, known how to avoid it, and |
| 39 |
known that a second GLSA would be issued on the subject for final |
| 40 |
resolution. |
| 41 |
|
| 42 |
- Koon |
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-security@g.o mailing list |
Archives