On Wed, Jul 6, 2016 at 10:02 AM, Kristian Fiskerstrand <k...@gentoo.org> wrote: > On 07/06/2016 03:49 PM, Rich Freeman wrote: > >> I understand that. However, I just sometimes wonder whether that >> approach makes sense. The result of the current system is that we >> don't release GLSAs until well after a bug is fixed, sometimes after >> months. > > It makes sense for long term server management where you don't want to > update the full tree too often, but I agree GLSAs needs to be put out > more timely >
Another way to do it is to have a system like this: 1. Vulnerability is logged into database. 2. After embargo period (if any), entry is published. Tools available to the user make them aware they have a vulnerable package installed and the realtime status of whether a fix is available. 3. Once a package is stable, the tools let the user auto-update the package. 4. Once all archs are cleaned up, publish the GLSA by email as usual. So, this is like the current state, except tools like glsa-check use a realtime-updated database (or at least one as up-to-date as the latest sync) and not a database that is only updated after the last arch is stable. We don't need to send users 14 emails as archs are stabilized. But, the tools they likely would want to use do use the latest info. Sure, in the early days it would just tell them they're vulnerable with no suggested fix, since we don't have a fix yet. But, that is still information the user can use to their advantage. Ideally the early phases of this would be tied into bugzilla so that somebody isn't manually updating GLSA xml files every time something changes. -- Rich
