Gentoo Archives: gentoo-security

From: "William L. Thomson Jr." <wltjr@g.o>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Days of yore
Date: Mon, 16 Apr 2007 14:15:05
In Reply to: Re: [gentoo-security] Days of yore by Kurt Lieber
On Mon, 2007-04-16 at 08:32 -0500, Kurt Lieber wrote:
> On 4/16/07, Calum <caluml@×××××.com> wrote: > > But the infrastructure is already in place for GLSA's. > > You have to chase > security people down to draft the GLSA. You have to chase more > security people down to peer review the GLSA.
In my limited experience with vulnerabilities in packages I maintain. The problem or delays seem to be with the last two steps listed. Not to simplify them by any means, or the preceding steps. Not to mention in my case upstream had already acted or etc, so no patching or etc was needed on my behalf. Just bumps and stabilization if anything.
> I don't know that we've ever formally quantified how much time an > average GLSA takes, but my semi-educated guess would be in the > neighborhood of 10 hours per package.
I would not be surprised, and surely that if they have to follow it through from start to finish. Less if say maintaining devs are responsible for addressing their vulnerable package, and not leaving it up to others like security team. All must do their parts to get things done in a timely manner.
> Now, take that process and multiply it by the number of -sources in > the tree and you can start to get an idea for how much time it takes > to issue kernel updates.
Kernel issues must be a nightmare for the security team.
> So, again, #gentoo-security is where you can start being part of the solution.
If I had the time I would go join and help. As is, already quite over committed :) -- William L. Thomson Jr. Gentoo/Java


File name MIME type
signature.asc application/pgp-signature


Subject Author
Re: [gentoo-security] Days of yore Sune Kloppenborg Jeppesen <jaervosz@g.o>