'Re: [gentoo-dev] [RFC] Security Bug Assignment Change'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-dev
Subject:    Re: [gentoo-dev] [RFC] Security Bug Assignment Change
From:       Sam James <sam () gentoo ! org>
Date:       2022-04-25 2:10:34
Message-ID: 09342677-92B0-4BE9-B904-4112EFBC44B6 () gentoo ! org
[Download RAW message or body]

> On 15 Apr 2022, at 02:38, John Helmert III <ajak@gentoo.org> wrote:
> 
> Hi all! Currently all security bugs are assigned to security@g.o,
> always. This can easily lead to some confusion about who needs to do
> something about a given bug; right now this is generally tracked by
> whiteboard magic strings that probably not many people outside of the
> Security Project understand [1] and this has been a source of
> confusion around security bugs for a long time.
> 
> To make it abundantly clear who needs to take action for a given bug,
> I propose we move away from the dogma of security@ always being
> assigned to security bugs, and instead assign bugs to whoever needs to
> take action for the bug. For example, on security bugs that need a
> package bumped or cleaned up, the package maintainer would be
> assigned. For bugs needing a GLSA, security@ would be assigned.
> [...]
> 
> What do you all think?
> 

Yes, please. It's led to no end of confusion and had many requests
for this over the years.

> [1] https://www.gentoo.org/support/security/vulnerability-treatment-policy.html \
> "Severity Level" section

Best,
sam


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----

iQGTBAEBCgB9FiEEYOpPv/uDUzOcqtTy9JIoEO6gSDsFAmJmAxpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYw
RUE0RkJGRkI4MzUzMzM5Q0FBRDRGMkY0OTIyODEwRUVBMDQ4M0IACgkQ9JIoEO6g
SDsniwf+P5CcQEvwSeNucU3sLej4O0SBJMY8bW17cGzeKJ0oJLDSH8lePKP4TPyj
Es5HoG3Fg0jkC1oPbcuFAoFZt2YGBecgzSfK42dkjWYiAbN95h96RJriI6NKEdeB
QDTUSr5qEDh3naTDFTADpXLoo5NJJc1wfc8XFhYoP9nXLRlJMjo9mz2jpg7pD0Pn
1ebrQGZ/fakwHTCPIBNd4fMqUqxHAQOuzy3vSQIBuA8qZrd3bPbh1k5Imi7cstKl
0P7wCd3g+/02JyOMuKefF8pr4490bKsYY0fM4ptyHGizKxUzhfIxT/Tfk5MbGoHG
kVMYva3Z5NwW0xn/BD175lfUd+mgyQ==
=0mcT
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic