On Friday 22 August 2003 21:50, Karsten Schulz wrote:
> Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch:
> > Everything in the GLEP is open for discussion, please share your
> > questions/comments/concerns with the other people on this list
>
> just a few suggestions from me:
> I would remove the 'severity' attribute from the dtd. It depends on your
> local configuration wether a software bug is critical for your systems
> or not. Btw. who will explain the difference between 'high' and
> 'critical'. On my systems 'high' *is* 'critical'.
> A GLSA is per se important and needs attention, imho there is no need to
> differentiate it further, and every admin has to decide for himself
> respectively.

Maybe a bug classification could be used like:
(local exploit, remote exploit, denial of service, local denial of service)

>
> My last point: The last few weeks, there were no new GLSAs, but some
> security related discussions elsewhere (unzip, gdm, XDMCP and others).
> There were no statements or GLSAs from Gentoo about such stories. It
> would be nice to have some kind of feedback, that the security team is
> aware of current problems. I would like to see GLSAs in a regular
> schedule, with status reports, which exploits, bugs and incidents are
> currently under examination. Imho GLSAs must not provide bugfixes in
> every case, they can provide only information, too. So the element
> 'fixed' in the dtd should allow the value 'none', when it is important,
> that Gentoo users get security related information without providing a
> solution in form of a software update.

If you want to make sure a point is not missed by the security team, post a 
bug on bugs.gentoo.org and make sure you make clear it is a security bug.

Paul

-- 
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net