1 |
Kurt Lieber wrote: |
2 |
> We need folks to monitor bugzilla for security-related postings and then |
3 |
> push valid postings through the GLSA process. |
4 |
|
5 |
OK, so the process (and groups in charge) is : |
6 |
|
7 |
- Vulnerability is found, posted on specific software announce lists |
8 |
and/or general purpose security-lists) |
9 |
- User A that reads these groups posts a bugzilla entry |
10 |
- Developer/User B submits corrective ebuild on bugzilla |
11 |
- Developer C tests/inserts ebuild in official ~tree(s) |
12 |
- Developer D pushes ebuild in official stable tree(s) |
13 |
- SecurityGuy E writes a GLSA |
14 |
- SecurityChief F approves GLSA for posting |
15 |
|
16 |
Where is the shortage in manpower ? From what you say I deduce you need |
17 |
more of the "E" type, but are we sure there is not too much delay in the |
18 |
"B" "C" or "D" steps ? Should the "E" guy have authority to motivate the |
19 |
"C" and "D" guys ? |
20 |
|
21 |
I think I can help in the A and E steps, in software I follow for my own |
22 |
servers for example. |
23 |
|
24 |
> Kernel GLSAs are difficult because we can't release the GLSA until all our |
25 |
> kernels have been patched. |
26 |
|
27 |
That's because you want the GLSA to address the whole problems and not |
28 |
only parts of it. In the case of the latest kernel flaw, everyone had to |
29 |
wait 2 weeks for a GLSA while the corrected vanilla kernels were out the |
30 |
same day as vulnerability disclosure and most other corrected kernels |
31 |
were out two days after. |
32 |
|
33 |
Maybe we should consider releasing multiple GLSAs for the same problem. |
34 |
In the case of the latest kernel flaw, a GLSA describing a fix (using |
35 |
vanilla kernels) and a workaround (apply the following patch to your |
36 |
current kernel) could have been out very fast, and a second more |
37 |
comprehensive GLSA treating all other sources could have wait. This way |
38 |
everyone would have known of the problem, known how to avoid it, and |
39 |
known that a second GLSA would be issued on the subject for final |
40 |
resolution. |
41 |
|
42 |
- Koon |
43 |
|
44 |
-- |
45 |
gentoo-security@g.o mailing list |