From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 24765 invoked by uid 1002); 22 Aug 2003 20:19:19 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 14741 invoked from network); 22 Aug 2003 20:19:19 -0000 From: Paul de Vrieze To: gentoo-dev@gentoo.org Date: Fri, 22 Aug 2003 22:18:59 +0200 User-Agent: KMail/1.5.2 References: <20030822191939.36400b90.genone@genone.de> <200308222150.15259.kaschu@t800.ping.de> In-Reply-To: <200308222150.15259.kaschu@t800.ping.de> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_/qnR/f2XSMY3bNp"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200308222219.11859.pauldv@gentoo.org> X-Spam-Status: No, hits=-9.4 required=5.0 tests=BAYES_01,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_KMAIL autolearn=ham version=2.55-uvt3 X-Spam-Checker-Version: SpamAssassin 2.55-uvt3 (1.174.2.19-2003-05-19-exp) X-Virus-Scanned: by AMaViS-ng (Milter interface) Subject: Re: [gentoo-dev] GLEP #14: security updates based on GLSA X-Archives-Salt: fb3a16de-3df3-4035-9536-486bb2b98032 X-Archives-Hash: 09ee0bbea5b77bd4dedc599f073bc62c --Boundary-02=_/qnR/f2XSMY3bNp Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 22 August 2003 21:50, Karsten Schulz wrote: > Am Freitag, 22. August 2003 19:19 schrieb Marius Mauch: > > Everything in the GLEP is open for discussion, please share your > > questions/comments/concerns with the other people on this list > > just a few suggestions from me: > I would remove the 'severity' attribute from the dtd. It depends on your > local configuration wether a software bug is critical for your systems > or not. Btw. who will explain the difference between 'high' and > 'critical'. On my systems 'high' *is* 'critical'. > A GLSA is per se important and needs attention, imho there is no need to > differentiate it further, and every admin has to decide for himself > respectively. Maybe a bug classification could be used like: (local exploit, remote exploit, denial of service, local denial of service) > > My last point: The last few weeks, there were no new GLSAs, but some > security related discussions elsewhere (unzip, gdm, XDMCP and others). > There were no statements or GLSAs from Gentoo about such stories. It > would be nice to have some kind of feedback, that the security team is > aware of current problems. I would like to see GLSAs in a regular > schedule, with status reports, which exploits, bugs and incidents are > currently under examination. Imho GLSAs must not provide bugfixes in > every case, they can provide only information, too. So the element > 'fixed' in the dtd should allow the value 'none', when it is important, > that Gentoo users get security related information without providing a > solution in form of a software update. If you want to make sure a point is not missed by the security team, post a= =20 bug on bugs.gentoo.org and make sure you make clear it is a security bug. Paul =2D-=20 Paul de Vrieze Gentoo Developer Mail: pauldv@gentoo.org Homepage: http://www.devrieze.net --Boundary-02=_/qnR/f2XSMY3bNp Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQA/Rnq/bKx5DBjWFdsRAtUiAKDmwDmX+6+z6crb6cCHxizKdbyRBgCfbYT6 7u97EwFo20z/HEZtN6oXxSE= =XWm5 -----END PGP SIGNATURE----- --Boundary-02=_/qnR/f2XSMY3bNp--