10.01.2014 19:02, Sascha Wolf пишет: > Hi, > > I find the new version of GLSA format very interesting, especially > with the backdrop of the automated evaluation of vulnerabilities. > > Would it be possible to specify in which branch of Gentoo, this > program is usually installed? For example, "stable" or "unstable"? > > So you can better see if you are actively involved or not. >
Current workflow will not be changed: - for packages, having stable versions - new versions will be stabilized, vulnerable versions - removed from tree. GLSA will be released if it's necessary, AFTER stabilization will be finished for all security supported arches. - for packages, that never was in stable - GLSA will NOT be even drafted. One notable exception for 1) - we do not do GLSAs for kernel packages. So, to conclude, we track all vulnerabilities, that are discovered in main portage tree, but GLSAs mainly targeted for stable systems, e.g. stable branch should not contain vulnerable software(ideally). -- Best regards, Sergey Popov Gentoo developer Gentoo Desktop Effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead
signature.asc
Description: OpenPGP digital signature
