[gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml

["Robert Buchholz (rbu)" <rbu@gentoo.org>]

rbu         09/04/14 01:34:21

  Modified:             coordinator_guide.xml
  Log:
  Add reference to SVN, and update how we handle bugs now.

Revision  Changes    Path
1.22                 xml/htdocs/security/en/coordinator_guide.xml

file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.22&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?rev=1.22&content-type=text/plain
diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en/coordinator_guide.xml?r1=1.21&r2=1.22

Index: coordinator_guide.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xml,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- coordinator_guide.xml	13 Mar 2008 21:43:56 -0000	1.21
+++ coordinator_guide.xml	14 Apr 2009 01:34:21 -0000	1.22
@@ -11,6 +11,9 @@
 <author title="Author">
   <mail link="vorlon@gentoo.org">Matthias Geerdsen</mail>
 </author>
+<author title="Author">
+  <mail link="rbu@gentoo.org">Robert Buchholz</mail>
+</author>
 
 <abstract>
 This document contains procedures, tips and tricks applying to the
@@ -21,8 +24,8 @@
 <!-- See http://creativecommons.org/licenses/by-sa/1.0 -->
 <license/>
 
-<version>0.8.6</version>
-<date>2008-03-13</date>
+<version>0.8.7</version>
+<date>2008-04-14</date>
 
 <chapter>
 <title>Prerequisites</title>
@@ -33,9 +36,9 @@
 <p>
 A certain number of accounts must be established before working as a GLSA
 coordinator. To draft GLSAs you must get a
-<uri link="https://dev.gentoo.org/glsamaker/">GLSAMaker</uri> account. To
+<uri link="https://glsamaker.gentoo.org:4433/">GLSAMaker</uri> account. To
 manage security bugs you need to have a
-<uri link="http://bugs.gentoo.org">Bugzilla</uri> account, which will be
+<uri link="https://bugs.gentoo.org">Bugzilla</uri> account, which will be
 upgraded to <c>editbugs</c> privileges. To send GLSA announcements you
 need to have a yourname@gentoo.org address (i.e. to be a Gentoo developer).
 This address should be allowed to send to gentoo-announce.
@@ -58,9 +61,12 @@
 <p>
 You must create a GPG key for your yourname@gentoo.org email address. You
 can either create a specific key or add the gentoo.org address to an
-existing key. The key ID should be sent to devrel, and you should check
+existing key. The key ID should be <uri
+link="/proj/en/infrastructure/ldap.xml">set in the LDAP</uri>, and you
+should check
 that your name and key ID appears on the
-<uri link="http://www.gentoo.org/proj/en/devrel/roll-call/userinfo.xml">developer
+<uri
+link="/proj/en/devrel/roll-call/userinfo.xml">developer
 list</uri>. It is very important that the key is published at least on
 the <uri link="http://subkeys.pgp.net:11371">subkeys.pgp.net</uri> keyserver.
 It can also be submitted on other keyservers.
@@ -198,11 +204,12 @@
 
 <p>
 Sometimes a bug is communicated to us under the promise we'll keep it secret
-until a public release. Restricted bugs have the "Gentoo Security" checkbox
+until a public release, usually known as the embargo date or coordinated release date.
+Restricted bugs have the "Gentoo Security" checkbox
 checked and therefore can only be accessed by Gentoo Security Team members.
 External people (package maintainer, arch testers, Release Engineering) may be
 added on a per-name basis, aliases should never be used (because they are too
-wide and won't allow bug comments).  
+wide and won't allow bug comments).
 </p>
 
 <p>
@@ -221,7 +228,7 @@
 that contain information that should be kept secret until an agreed-upon
 coordinated release date. No part of the bug (affected package name,
 description, proposed patch or whatever) should ever leak outside the bug.
-Patches should NOT be committed to portage CVS.
+Patches must NOT be committed to portage CVS.
 </p>
 
 <p>
@@ -264,7 +271,7 @@
 </tr>
 <tr>
 <ti>coordinator</ti>
-<ti>The nickname of the coordinator assigned to the bug</ti>
+<ti>The nickname of the coordinator assigned to the bug, optional</ti>
 <ti>koon</ti>
 </tr>
 </table>
@@ -553,7 +560,7 @@
 
 <p>
 Confidential bugs should be following this pattern: "RATING [status]
-coordinator / Release_date CLASSIFIED", where:
+coordinator KEYWORD CRD", where:
 </p>
 
 <table>
@@ -574,18 +581,18 @@
 </tr>
 <tr>
 <ti>coordinator</ti>
-<ti>The nickname of the coordinator assigned to the bug</ti>
+<ti>The nickname of the coordinator assigned to the bug, optional</ti>
 <ti>koon</ti>
 </tr>
 <tr>
-<ti>Release_date</ti>
-<ti>The date of agreed-upon coordinated disclosure</ti>
-<ti>20050106</ti>
+<ti>KEYWORD</ti>
+<ti>The confidentiality level of the bug, can be CLASSIFIED, CONFIDENTIAL, SEMI-PUBLIC</ti>
+<ti>CLASSIFIED</ti>
 </tr>
 <tr>
-<ti>CLASSIFIED</ti>
-<ti>The optional CLASSIFIED flag for classified bugs</ti>
-<ti>CLASSIFIED</ti>
+<ti>CRD</ti>
+<ti>The coordinated release date for the bugs disclosure. If no time is given, assume 14:00 UTC.</ti>
+<ti>2009-01-06 18:00 UTC</ti>
 </tr>
 
 </table>
@@ -602,7 +609,7 @@
 <tr>
 <ti>preebuild</ti>
 <ti>Specific package maintainer has been called to prepare an ebuild which
-    should not be committed in the CVS tree</ti>
+    must not be committed in the CVS tree, but attached to the bug</ti>
 </tr>
 <tr>
 <ti>prestable</ti>
@@ -889,7 +896,7 @@
 maliciously crafted URL or playlist to achieve the same results.</ti>
 </tr>
 <tr>
-<ti>This exploit has two possible impacts. First, it may create new files in 
+<ti>This vulnerability has two possible impacts. First, it may create new files in 
 the user's home directory. Second, and far more serious, it may overwrite 
 existing files that the user has write permissions to. An attacker with some 
 knowledge of a user's home directory might be able to destroy important 
@@ -1098,7 +1105,7 @@
 <body>
 
 <p>
-An errata is published when we made a mistake otherwise it is an
+An erratum is published when we made a mistake otherwise it is an
 update. When policy warrants a republication these guidelines should be followed:
 </p>
 
@@ -1131,14 +1138,13 @@
 
 <p>
   For two complete errata email examples see <uri
-  link="http://archives.gentoo.org/gentoo-announce/msg_02598.xml">ERRATA:
+  link="http://archives.gentoo.org/gentoo-announce/msg_59c7b7e81a7acacb1cbde24ab708f07a.xml">ERRATA:
   [ GLSA 200409-14 ] Samba: Remote printing non-vulnerability</uri>
   (where there were no real vulnerability) and <uri
-  link="http://archives.gentoo.org/gentoo-announce/msg_02502.xml">ERRATA:
-  [ GLSA 200405-25 ] tla: Multiple vulnerabilities in included
-  libneon</uri> (where the problem was not correctly fixed in the
+  link="http://archives.gentoo.org/gentoo-announce/msg_e75f5d493fea7c6f718a850abd59598a.xml">ERRATA: [ GLSA 200801-09 ]
+      X.Org X server and Xfont library: Multiple vulnerabilities</uri> (where the problem was not correctly fixed in the
   initial version). For an update example see <uri
-  link="http://archives.gentoo.org/gentoo-announce/msg_02663.xml">UPDATE:
+  link="http://archives.gentoo.org/gentoo-announce/msg_0f18bca197c64b634db757a18d2ae492.xml">UPDATE:
   [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included
   xpdf</uri> (where the fix introduced another vulnerability).
 </p>
@@ -1178,5 +1184,19 @@
 
 </body>
 </section>
+<section>
+<title>Security Subversion repository</title>
+<body>
+
+<ul>
+<li>The <uri link="http://overlays.gentoo.org/proj/security/timeline">Security Subversion repository</uri>
+contains several tools to collaboratively assess whether we are affected by new CVE identifiers, and
+tools to determine target keywords. Most tools directly interact with Bugzilla, making manual
+copy-pasting unnecessary.
+</li>
+</ul>
+
+</body>
+</section>
 </chapter>
 </guide>