[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-dev
Subject: Re: [gentoo-dev] [RFC] Security Bug Assignment Change
From: Sam James <sam () gentoo ! org>
Date: 2022-04-25 2:10:34
Message-ID: 09342677-92B0-4BE9-B904-4112EFBC44B6 () gentoo ! org
[Download RAW message or body]
> On 15 Apr 2022, at 02:38, John Helmert III <ajak@gentoo.org> wrote:
>
> Hi all! Currently all security bugs are assigned to security@g.o,
> always. This can easily lead to some confusion about who needs to do
> something about a given bug; right now this is generally tracked by
> whiteboard magic strings that probably not many people outside of the
> Security Project understand [1] and this has been a source of
> confusion around security bugs for a long time.
>
> To make it abundantly clear who needs to take action for a given bug,
> I propose we move away from the dogma of security@ always being
> assigned to security bugs, and instead assign bugs to whoever needs to
> take action for the bug. For example, on security bugs that need a
> package bumped or cleaned up, the package maintainer would be
> assigned. For bugs needing a GLSA, security@ would be assigned.
> [...]
>
> What do you all think?
>
Yes, please. It's led to no end of confusion and had many requests
for this over the years.
> [1] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html \
> "Severity Level" section
Best,
sam
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iQGTBAEBCgB9FiEEYOpPv/uDUzOcqtTy9JIoEO6gSDsFAmJmAxpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYw
RUE0RkJGRkI4MzUzMzM5Q0FBRDRGMkY0OTIyODEwRUVBMDQ4M0IACgkQ9JIoEO6g
SDsniwf+P5CcQEvwSeNucU3sLej4O0SBJMY8bW17cGzeKJ0oJLDSH8lePKP4TPyj
Es5HoG3Fg0jkC1oPbcuFAoFZt2YGBecgzSfK42dkjWYiAbN95h96RJriI6NKEdeB
QDTUSr5qEDh3naTDFTADpXLoo5NJJc1wfc8XFhYoP9nXLRlJMjo9mz2jpg7pD0Pn
1ebrQGZ/fakwHTCPIBNd4fMqUqxHAQOuzy3vSQIBuA8qZrd3bPbh1k5Imi7cstKl
0P7wCd3g+/02JyOMuKefF8pr4490bKsYY0fM4ptyHGizKxUzhfIxT/Tfk5MbGoHG
kVMYva3Z5NwW0xn/BD175lfUd+mgyQ==
=0mcT
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic