On Wed, Feb 9, 2011 at 9:08 AM, "Paweł Hajdan, Jr." <phajdan...@gentoo.org> wrote: > I think http://www.gentoo.org/security/en/vulnerability-policy.xml > specifies the target delay, and also mentions temporary GLSAs. > Unfortunately, that process does not seem to be followed due to general > difficulty of drafting GLSAs (I don't even know what is the problem, as > GLSAmaker is only available to security team members). >
I think the policy itself is completely appropriate, and of course publishing it makes the process transparent to the users. I think our problem is more with complying with that policy. I have heard similar complaints about GLSAmaker. I half-wonder if it would make more sense to just edit the xml files directly and validate them with a tool, and send out an email, if the tool really is that bad. Could the security team use a staff position of some kind that an interested user could take on that handled some of the more administrative aspects of security bugs? Maybe we aren't that bad at fixing our code, but nobody wants to sit around tinkering with notices/etc. Perhaps we might have interested users who wouldn't mind sending out notices and closing bugs who otherwise might not want to or be able to maintain ebuilds/etc? Rich
