From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 62AE7138247 for ; Wed, 15 Jan 2014 11:14:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BFCCCE0AF8; Wed, 15 Jan 2014 11:14:24 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6678FE0AA4 for ; Wed, 15 Jan 2014 11:14:23 +0000 (UTC) Received: from [91.220.220.251] (pinkbyte.micronet-rostov.ru [91.220.220.251]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pinkbyte) by smtp.gentoo.org (Postfix) with ESMTPSA id F1A6933F439 for ; Wed, 15 Jan 2014 11:14:21 +0000 (UTC) Message-ID: <52D66D81.2090505@gentoo.org> Date: Wed, 15 Jan 2014 15:14:09 +0400 From: Sergey Popov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131113 Thunderbird/17.0.9 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@lists.gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] Soliciting feedback for the GLSA-2 format References: <569773918.20140110160237@x-project.net> In-Reply-To: <569773918.20140110160237@x-project.net> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Pi1jBTT6JiSPJGCSeEHxlWDkBGNvoMDjs" X-Archives-Salt: ec63c94e-a244-4c4e-8c47-e49ca9ffe5d6 X-Archives-Hash: f31decb7c24f6e4ae31dd1fc4d16ce1d This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Pi1jBTT6JiSPJGCSeEHxlWDkBGNvoMDjs Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 10.01.2014 19:02, Sascha Wolf =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > Hi, >=20 > I find the new version of GLSA format very interesting, especially > with the backdrop of the automated evaluation of vulnerabilities. >=20 > Would it be possible to specify in which branch of Gentoo, this > program is usually installed? For example, "stable" or "unstable"? >=20 > So you can better see if you are actively involved or not. >=20 Current workflow will not be changed: - for packages, having stable versions - new versions will be stabilized, vulnerable versions - removed from tree. GLSA will be released if it's necessary, AFTER stabilization will be finished for all security supported arches. - for packages, that never was in stable - GLSA will NOT be even drafted.= One notable exception for 1) - we do not do GLSAs for kernel packages. So, to conclude, we track all vulnerabilities, that are discovered in main portage tree, but GLSAs mainly targeted for stable systems, e.g. stable branch should not contain vulnerable software(ideally). --=20 Best regards, Sergey Popov Gentoo developer Gentoo Desktop Effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead --Pi1jBTT6JiSPJGCSeEHxlWDkBGNvoMDjs Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJS1m2CAAoJECo/aRed9267EU8H/2WtuxeHTxuOgONnqhvKiqgv 1GTqqwn3I9RseNcNVxlHK/qlOPQ1ye8/orjCUL1AbrkdHLu6dOWIhuTglHEncuqd uzNzzhadfNKdo13gexTVQGMyXfSZNRNQWbLSRAfMw2THoS9oNSw5ABBcW5VwXmB/ ZO3MNZtw2+mj5rjQjA1xgd/hrD4rLUYy4wFeRvHzgx0FnV+eUut1mXXdBKs9D2dh 7iAp4zJU0tgE6qFZN41c3bcqBtmhd5A4vnXmqc9HsCkbR4FDuOXn1TnZAk3KkmDt GNsDXPUjmrKvKqSQ/Ftqj/R7DbYRuS0hpxP9V8qjmcQIVVw/Vo+M9wbrblVNsXs= =UX9+ -----END PGP SIGNATURE----- --Pi1jBTT6JiSPJGCSeEHxlWDkBGNvoMDjs--