From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JCk1n-0002fy-Q2 for garchives@archives.gentoo.org; Wed, 09 Jan 2008 23:08:08 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 0428DE0111; Wed, 9 Jan 2008 23:08:06 +0000 (UTC) Received: from smtp7-g19.free.fr (smtp7-g19.free.fr [212.27.42.64]) by pigeon.gentoo.org (Postfix) with ESMTP id D0C61E0111 for ; Wed, 9 Jan 2008 23:08:05 +0000 (UTC) Received: from smtp7-g19.free.fr (localhost [127.0.0.1]) by smtp7-g19.free.fr (Postfix) with ESMTP id 54B62322803 for ; Thu, 10 Jan 2008 00:08:05 +0100 (CET) Received: from [88.163.239.36] (mas91-3-88-163-239-36.fbx.proxad.net [88.163.239.36]) by smtp7-g19.free.fr (Postfix) with ESMTP id 23A52322801 for ; Thu, 10 Jan 2008 00:08:05 +0100 (CET) Message-ID: <478554B5.405@gentoo.org> Date: Thu, 10 Jan 2008 00:11:49 +0100 From: Pierre-Yves Rofes User-Agent: Thunderbird 2.0.0.9 (X11/20071119) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Projects and subproject status References: <47829A4A.5000905@gentoo.org> In-Reply-To: <47829A4A.5000905@gentoo.org> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 302cc600-7e9b-4a10-b328-82bd0813e1c4 X-Archives-Hash: 2483ac8721e4732db553f9a080004d5b -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Luca Barbato a =C3=A9crit : > Here is a list of interesting questions: "Are we fine?" "What are we > going to do?" >=20 > Please project leaders try to reply in short. >=20 Ok, technically I'm not security lead, but since I and rbu almost completely handled the security team since 2 months, I think I can at least give my opinions on what's going on. > About the stuff I'm involved: >=20 > Are we fine? security: Well, with an average of ~ 1 GLSA/day for November and December, things are going a little bit better than some months ago. We still have too many open bugs (~115),but we tend to be a little more reactive since we now actively monitor the vendor-security mailing list plus the freshly attributed CVE ids, so we're able to file bugs and get them corrected before they go public. This also means arches security liaisons should be prepared to get called more often from now on. >=20 > What are we going to do: >=20 Personally, I'd like that we become more regular for the GLSA releases, instead of doing nothing for days then rushing to send 10 GLSAs in 2 days= . I'd also like to take care of the really old bugs, say, opened for at least 6 months (~25 at the moment). Don't know if we'll manage to do it, but at least we'll try. This was a (very) short reply, sec team members are of course welcome to complete. - -- Pierre-Yves Rofes Gentoo Linux Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHhVS1uhJ+ozIKI5gRAqbnAJ9URJQ2fMFdjrpaER1dKF+ws4VDQQCdHZ98 2rCq9l3JGrxfSXZNttN40ok=3D =3D5N0K -----END PGP SIGNATURE----- --=20 gentoo-dev@lists.gentoo.org mailing list