Prerequisites

From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1LtXXb-0002qx-Jt for garchives@archives.gentoo.org; Tue, 14 Apr 2009 01:34:23 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 930DEE0580; Tue, 14 Apr 2009 01:34:22 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 50B2BE0580 for ; Tue, 14 Apr 2009 01:34:22 +0000 (UTC) Received: from stork.gentoo.org (stork.gentoo.org [64.127.104.133]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id DCF15647E7 for ; Tue, 14 Apr 2009 01:34:21 +0000 (UTC) Received: from rbu by stork.gentoo.org with local (Exim 4.69) (envelope-from ) id 1LtXXZ-0003fo-HH for gentoo-commits@lists.gentoo.org; Tue, 14 Apr 2009 01:34:21 +0000 From: "Robert Buchholz (rbu)" To: gentoo-commits@lists.gentoo.org Reply-To: gentoo-dev@lists.gentoo.org, rbu@gentoo.org Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml X-VCS-Repository: gentoo X-VCS-Files: coordinator_guide.xml X-VCS-Directories: xml/htdocs/security/en X-VCS-Committer: rbu X-VCS-Committer-Name: Robert Buchholz Content-Type: text/plain; charset=utf8 Message-Id: Sender: Robert Buchholz Date: Tue, 14 Apr 2009 01:34:21 +0000 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: ce58eefd-0e66-428f-bbb1-6302844869d0 X-Archives-Hash: 023e6e466f4ffed9ad33d8dd31df7c3e rbu 09/04/14 01:34:21 Modified: coordinator_guide.xml Log: Add reference to SVN, and update how we handle bugs now. Revision Changes Path 1.22 xml/htdocs/security/en/coordinator_guide.xml file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en= /coordinator_guide.xml?rev=3D1.22&view=3Dmarkup plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en= /coordinator_guide.xml?rev=3D1.22&content-type=3Dtext/plain diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en= /coordinator_guide.xml?r1=3D1.21&r2=3D1.22 Index: coordinator_guide.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xm= l,v retrieving revision 1.21 retrieving revision 1.22 diff -u -r1.21 -r1.22 --- coordinator_guide.xml 13 Mar 2008 21:43:56 -0000 1.21 +++ coordinator_guide.xml 14 Apr 2009 01:34:21 -0000 1.22 @@ -11,6 +11,9 @@ Matthias Geerdsen + + Robert Buchholz + =20 This document contains procedures, tips and tricks applying to the @@ -21,8 +24,8 @@ =20 -0.8.6 -2008-03-13 +0.8.7 +2008-04-14 =20 Prerequisites @@ -33,9 +36,9 @@

A certain number of accounts must be established before working as a GLS= A coordinator. To draft GLSAs you must get a -GLSAMaker account.= To +GLSAMaker account= . To manage security bugs you need to have a -Bugzilla account, which will = be +Bugzilla account, which will= be upgraded to editbugs privileges. To send GLSA announcements you need to have a yourname@gentoo.org address (i.e. to be a Gentoo develope= r). This address should be allowed to send to gentoo-announce. @@ -58,9 +61,12 @@

You must create a GPG key for your yourname@gentoo.org email address. Yo= u can either create a specific key or add the gentoo.org address to an -existing key. The key ID should be sent to devrel, and you should check +existing key. The key ID should be set in the LDAP, and you +should check that your name and key ID appears on the -developer +developer list. It is very important that the key is published at least on the subkeys.pgp.net key= server. It can also be submitted on other keyservers. @@ -198,11 +204,12 @@ =20

Sometimes a bug is communicated to us under the promise we'll keep it se= cret -until a public release. Restricted bugs have the "Gentoo Security" check= box +until a public release, usually known as the embargo date or coordinated= release date. +Restricted bugs have the "Gentoo Security" checkbox checked and therefore can only be accessed by Gentoo Security Team membe= rs. External people (package maintainer, arch testers, Release Engineering) = may be added on a per-name basis, aliases should never be used (because they ar= e too -wide and won't allow bug comments). =20 +wide and won't allow bug comments).

=20

@@ -221,7 +228,7 @@ that contain information that should be kept secret until an agreed-upon coordinated release date. No part of the bug (affected package name, description, proposed patch or whatever) should ever leak outside the bu= g. -Patches should NOT be committed to portage CVS. +Patches must NOT be committed to portage CVS.

=20

@@ -264,7 +271,7 @@ coordinator -The nickname of the coordinator assigned to the bug +The nickname of the coordinator assigned to the bug, optional koon @@ -553,7 +560,7 @@ =20

Confidential bugs should be following this pattern: "RATING [status] -coordinator / Release_date CLASSIFIED", where: +coordinator KEYWORD CRD", where:

=20 @@ -574,18 +581,18 @@ coordinator -The nickname of the coordinator assigned to the bug +The nickname of the coordinator assigned to the bug, optionalkoon -Release_date -The date of agreed-upon coordinated disclosure -20050106 +KEYWORD +The confidentiality level of the bug, can be CLASSIFIED, CONFIDENTIA= L, SEMI-PUBLIC +CLASSIFIED -CLASSIFIED -The optional CLASSIFIED flag for classified bugs -CLASSIFIED +CRD +The coordinated release date for the bugs disclosure. If no time is = given, assume 14:00 UTC. +2009-01-06 18:00 UTC =20

@@ -602,7 +609,7 @@ preebuild Specific package maintainer has been called to prepare an ebuild whi= ch - should not be committed in the CVS tree + must not be committed in the CVS tree, but attached to the bug prestable @@ -889,7 +896,7 @@ maliciously crafted URL or playlist to achieve the same results. -This exploit has two possible impacts. First, it may create new file= s in=20 +This vulnerability has two possible impacts. First, it may create ne= w files in=20 the user's home directory. Second, and far more serious, it may overwrit= e=20 existing files that the user has write permissions to. An attacker with = some=20 knowledge of a user's home directory might be able to destroy important=20 @@ -1098,7 +1105,7 @@ =20

-An errata is published when we made a mistake otherwise it is an +An erratum is published when we made a mistake otherwise it is an update. When policy warrants a republication these guidelines should be = followed:

=20 @@ -1131,14 +1138,13 @@ =20

For two complete errata email examples see ERRA= TA: + link=3D"http://archives.gentoo.org/gentoo-announce/msg_59c7b7e81a7acac= b1cbde24ab708f07a.xml">ERRATA: [ GLSA 200409-14 ] Samba: Remote printing non-vulnerability (where there were no real vulnerability) and ERRA= TA: - [ GLSA 200405-25 ] tla: Multiple vulnerabilities in included - libneon (where the problem was not correctly fixed in the + link=3D"http://archives.gentoo.org/gentoo-announce/msg_e75f5d493fea7c6= f718a850abd59598a.xml">ERRATA: [ GLSA 200801-09 ] + X.Org X server and Xfont library: Multiple vulnerabilities (= where the problem was not correctly fixed in the initial version). For an update example see UPDA= TE: + link=3D"http://archives.gentoo.org/gentoo-announce/msg_0f18bca197c64b6= 34db757a18d2ae492.xml">UPDATE: [ GLSA 200410-30 ] GPdf, KPDF, KOffice: Vulnerabilities in included xpdf (where the fix introduced another vulnerability).

@@ -1178,5 +1184,19 @@ =20 +

+Security Subversion repository + + +

The = Security Subversion repository +contains several tools to collaboratively assess whether we are affected= by new CVE identifiers, and +tools to determine target keywords. Most tools directly interact with Bu= gzilla, making manual +copy-pasting unnecessary. +

+ + +