El mié, 12-09-2012 a las 18:30 -0400, Sean Amoss escribió: > On 09/12/2012 02:54 PM, Pacho Ramos wrote: > > El jue, 13-09-2012 a las 04:30 +1000, Michael Palimaka escribió: > >> On 2012-09-13 03:59, Pacho Ramos wrote: > >>> Hello > >>> > >>> Currently, package maintainers are CCed to security bugs when their are > >>> needed. The problem is that, once maintainers add a fixed version and > >>> tell security team they are ok to get it stabilized, maintainers are > >>> kept CCed until bug is closed by security team. This usually means > >>> getting a lot of mail after some time when security team discuss if a > >>> GLSA should be filled or not, if security bot adds some comment... some > >>> of that comments are applied to really old bugs that need no action from > >>> maintainers. > >>> > > Our discussion is very minimal. There will typically never be any more > than 3 comments discussing whether to have a GLSA or not -- in the event > that 2 security team members disagree and a 3rd has to break the tie. > > Some bugs have been receiving more spam than usual (lately, from > GLSAMaker/CVETool bot) as we have been trying to clean-up old CVE > entries in the tool and old bugs. > > It would be nice if maintainers would follow-up on security bugs in > [upstream], [ebuild], [stable], and [cleanup] to get those bugs closed > as soon as possible. You are welcome to join the security team to help > us keep bugs up-to-date and work on the backlog of GLSAs. :D > > >>> Maybe would be interesting to change the policy to unCC maintainers > >>> again when their action is no longer required. > >>> > >>> What do you think? > >>> > >>> Thanks for your thoughts > >>> > >> > >> Hello, > >> > >> Is the policy you describe officially documented, or just current > behaviour? > >> > > > > I don't know, at least it's the current behavior, but I don't know if > > it's a policy :/ > > Yes, this is part of the Vulnerability Treatment Policy [1], listed > under the "Security Bug Wrangler role" in Chapter 3. > > > > >> In KDE and Qt herds for example, we usually just unCC ourselves when > >> we've taken the required action. > >> > >> Best regards, > >> Michael > >> > > The security bug process [2] involves removing the vulnerable versions > from the tree after all arches are finished stabilizing. This is to > ensure that users do not accidentally install vulnerable software. Many > maintainers do not do this and I think that all of us on the security > team are guilty of not always following up to ensure the vulnerable > versions are dropped. As Jeroen mentioned, how will maintainers know > when to remove the vulnerable versions if they are not current on the bug? > > If stabilization is complete and the maintainers have removed vulnerable > versions from the tree, there is typically no issue with unCC'ing > themselves like KDE/Qt herds do. > > Arches sometimes run into minor issues that don't warrant opening a new > bug - they should be able to get help from maintainers without re-CC'ing > them. > > If a decision were made to unCC maintainers, there would probably be > some maintainers/herds that want to be left on the CC list and the > security team does not have the capacity right now to keep up with > exceptions. > > (Strictly my opinions, not that of the whole security team) > > > [1] http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3 > [2] http://www.gentoo.org/security/en/coordinator_guide.xml#doc_chap3 > >
Regarding joining to security team, I have considered a lot of time that option... but I clearly don't have enough time this days :|, sorry
signature.asc
Description: This is a digitally signed message part
