From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1PnBwh-0004aG-Te for garchives@archives.gentoo.org; Wed, 09 Feb 2011 15:27:08 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3A7D3E09D7; Wed, 9 Feb 2011 15:26:57 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id 41C78E099C for ; Wed, 9 Feb 2011 15:26:19 +0000 (UTC) Received: by wwi18 with SMTP id 18so276643wwi.10 for ; Wed, 09 Feb 2011 07:26:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=OEWEHAXNrX5wvnK19Hfy/i3tkhT+H2G4brxjxQ+QPVA=; b=SKa9NfZ5XY4N+WiVjt04qxwuJJA2Ez4P63h7LQNr0gEdfSmcV7oelihaym0H255h5m j1v90k4wgt+gXJiP1fmOLZ4LWDdDwx9nOU6JLlrXyVoxVbZpLnKUkQNQN75i3MHYO4yS 1DlgEzaIZvfHN8xmLgpqrToyE7ywmFkZnd2hM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=ZKolmwwIpvEzYNRpbfHUANZjAYkwS8lL7jQswFO/pYaseqSYg0nXAH5GCuvdFKtwYH l7Hn/D7J0E6j+L8WMydlBIzSSId3ilAqfqFDD+sFcCDrYACwWksMZrDli/ndsQQvIQwW CM85+vftU00TYVugRkDT93kRnwmMCXRvLH3gw= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.227.138.19 with SMTP id y19mr6237591wbt.55.1297265179392; Wed, 09 Feb 2011 07:26:19 -0800 (PST) Sender: freemanrich@gmail.com Received: by 10.227.136.137 with HTTP; Wed, 9 Feb 2011 07:26:19 -0800 (PST) In-Reply-To: <4D529FC2.4060507@gentoo.org> References: <20110207205059.GA10939@bookie> <20110208164116.GC31166@comet.mayo.edu> <201102081846.32733.dilfridge@gentoo.org> <20110208175720.GE4530@gentoo.org> <4D529FC2.4060507@gentoo.org> Date: Wed, 9 Feb 2011 10:26:19 -0500 X-Google-Sender-Auth: TgqydCk7JWckhlVVquh_qtFXOHY Message-ID: Subject: Re: [gentoo-dev] avoiding urgent stabilizations From: Rich Freeman To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 54e6124ba5cdca2253103039c898fbce On Wed, Feb 9, 2011 at 9:08 AM, "Pawe=C5=82 Hajdan, Jr." wrote: > I think http://www.gentoo.org/security/en/vulnerability-policy.xml > specifies the target delay, and also mentions temporary GLSAs. > Unfortunately, that process does not seem to be followed due to general > difficulty of drafting GLSAs (I don't even know what is the problem, as > GLSAmaker is only available to security team members). > I think the policy itself is completely appropriate, and of course publishing it makes the process transparent to the users. I think our problem is more with complying with that policy. I have heard similar complaints about GLSAmaker. I half-wonder if it would make more sense to just edit the xml files directly and validate them with a tool, and send out an email, if the tool really is that bad. Could the security team use a staff position of some kind that an interested user could take on that handled some of the more administrative aspects of security bugs? Maybe we aren't that bad at fixing our code, but nobody wants to sit around tinkering with notices/etc. Perhaps we might have interested users who wouldn't mind sending out notices and closing bugs who otherwise might not want to or be able to maintain ebuilds/etc? Rich