On 2/9/11 2:57 PM, Rich Freeman wrote: > Perhaps we should target having glsas published within a certain > amount of time after a vulnerability is disclosed, whether corrected > or not. We could re-publish a final notice once all is well. We > really shouldn't consider users safe from a security vulnerability > until the vulnerability is patched in the tree AND the notice to > update has been sent out.
I think http://www.gentoo.org/security/en/vulnerability-policy.xml specifies the target delay, and also mentions temporary GLSAs. Unfortunately, that process does not seem to be followed due to general difficulty of drafting GLSAs (I don't even know what is the problem, as GLSAmaker is only available to security team members).
signature.asc
Description: OpenPGP digital signature
