From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28839 invoked by uid 1002); 22 Aug 2003 19:50:18 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 25595 invoked from network); 22 Aug 2003 19:50:18 -0000 From: Karsten Schulz To: gentoo-dev@gentoo.org Date: Fri, 22 Aug 2003 21:50:15 +0200 User-Agent: KMail/1.5.2 References: <20030822191939.36400b90.genone@genone.de> In-Reply-To: <20030822191939.36400b90.genone@genone.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200308222150.15259.kaschu@t800.ping.de> Subject: Re: [gentoo-dev] GLEP #14: security updates based on GLSA X-Archives-Salt: d21cfb17-3042-4ade-9bb3-39adef30a4d4 X-Archives-Hash: 8460964be9df7b0eb072898ae7403f27 Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: > Everything in the GLEP is open for discussion, please share your > questions/comments/concerns with the other people on this list just a few suggestions from me: I would remove the 'severity' attribute from the dtd. It depends on your local configuration wether a software bug is critical for your systems or not. Btw. who will explain the difference between 'high' and 'critical'. On my systems 'high' *is* 'critical'. A GLSA is per se important and needs attention, imho there is no need to differentiate it further, and every admin has to decide for himself respectively. For admin's convinience, I would like to have an optional URL element, which can contain a location, where the bug is discussed (in addition to the CVE, which is not available in every case). The URL could point to the mailinglist of the program developers or other serious sources like security lists. This would just help the admin to get more information about the bug. I would like to second Calebs suggestion to sign GLSAs. Besides there is need for a central Security page at www.gentoo.org, where users and admins get some hints how the security related communication works (Who creates and checks GLSAs, which public keys are used, a.s.o.) My last point: The last few weeks, there were no new GLSAs, but some security related discussions elsewhere (unzip, gdm, XDMCP and others). There were no statements or GLSAs from Gentoo about such stories. It would be nice to have some kind of feedback, that the security team is aware of current problems. I would like to see GLSAs in a regular schedule, with status reports, which exploits, bugs and incidents are currently under examination. Imho GLSAs must not provide bugfixes in every case, they can provide only information, too. So the element 'fixed' in the dtd should allow the value 'none', when it is important, that Gentoo users get security related information without providing a solution in form of a software update. that's all for the moment, Karsten -- gentoo-dev@gentoo.org mailing list