From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PnAiw-0002sj-4S for garchives@archives.gentoo.org; Wed, 09 Feb 2011 14:08:50 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 282151C087; Wed, 9 Feb 2011 14:08:41 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 72D4F1C07D for ; Wed, 9 Feb 2011 14:08:12 +0000 (UTC) Received: from [192.168.1.12] (acnv61.neoplus.adsl.tpnet.pl [83.10.175.61]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: phajdan.jr) by smtp.gentoo.org (Postfix) with ESMTPSA id 7E68E1B4024 for ; Wed, 9 Feb 2011 14:08:11 +0000 (UTC) Message-ID: <4D529FC2.4060507@gentoo.org> Date: Wed, 09 Feb 2011 15:08:02 +0100 From: =?UTF-8?B?IlBhd2XFgiBIYWpkYW4sIEpyLiI=?= User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] avoiding urgent stabilizations References: <20110207205059.GA10939@bookie> <20110208164116.GC31166@comet.mayo.edu> <201102081846.32733.dilfridge@gentoo.org> <20110208175720.GE4530@gentoo.org> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig107B952D5CF70F53D4C13D36" X-Archives-Salt: X-Archives-Hash: ccf1673b5fd1d895a479ed7f30456823 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig107B952D5CF70F53D4C13D36 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 2/9/11 2:57 PM, Rich Freeman wrote: > Perhaps we should target having glsas published within a certain > amount of time after a vulnerability is disclosed, whether corrected > or not. We could re-publish a final notice once all is well. We > really shouldn't consider users safe from a security vulnerability > until the vulnerability is patched in the tree AND the notice to > update has been sent out. I think http://www.gentoo.org/security/en/vulnerability-policy.xml specifies the target delay, and also mentions temporary GLSAs. Unfortunately, that process does not seem to be followed due to general difficulty of drafting GLSAs (I don't even know what is the problem, as GLSAmaker is only available to security team members). --------------enig107B952D5CF70F53D4C13D36 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAk1Sn8YACgkQuUQtlDBCeQJCewCfQGKRbzzgzbEura05zwhazAnx iD8AnjLCyLc8MFeidPDumz9JkAv+pD52 =IqMO -----END PGP SIGNATURE----- --------------enig107B952D5CF70F53D4C13D36--