On 07/06/2016 02:11 PM, Rich Freeman wrote: > Is everybody here at least agreed that this particular situation was > not handled well?
Indeed > announcement (which is something we lack - we issue GLSAs sometimes > ages after something is fixed on x86/amd64). Granted, that should be > news enough that people are getting the message in other ways unless > it is Gentoo-specific. GLSA is a separate discussion, but amd64 and x86 are not the only stable architectures in Gentoo, and the GLEP isn't sent until stabilized across the supported arches. That.. and a lower than wanted manpower to write up the GLSAs vs scouting, wrangling and auditing work. > I believe we already have a security severity classification system of > some kind with targeted response times, so maybe we can tie policy > into that? Makes sense -- Kristian Fiskerstrand OpenPGP certificate reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature