El mié, 12-09-2012 a las 18:30 -0400, Sean Amoss escribió:
> On 09/12/2012 02:54 PM, Pacho Ramos wrote:
> > El jue, 13-09-2012 a las 04:30 +1000, Michael Palimaka escribió:
> >> On 2012-09-13 03:59, Pacho Ramos wrote:
> >>> Hello
> >>> Currently, package maintainers are CCed to security bugs when their are
> >>> needed. The problem is that, once maintainers add a fixed version and
> >>> tell security team they are ok to get it stabilized, maintainers are
> >>> kept CCed until bug is closed by security team. This usually means
> >>> getting a lot of mail after some time when security team discuss if a
> >>> GLSA should be filled or not, if security bot adds some comment... some
> >>> of that comments are applied to really old bugs that need no action from
> >>> maintainers.
> Our discussion is very minimal. There will typically never be any more
> than 3 comments discussing whether to have a GLSA or not -- in the event
> that 2 security team members disagree and a 3rd has to break the tie.
> Some bugs have been receiving more spam than usual (lately, from
> GLSAMaker/CVETool bot) as we have been trying to clean-up old CVE
> entries in the tool and old bugs.
> It would be nice if maintainers would follow-up on security bugs in
> [upstream], [ebuild], [stable], and [cleanup] to get those bugs closed
> as soon as possible. You are welcome to join the security team to help
> us keep bugs up-to-date and work on the backlog of GLSAs.
> >>> Maybe would be interesting to change the policy to unCC maintainers
> >>> again when their action is no longer required.
> >>> What do you think?
> >>> Thanks for your thoughts
> >> Hello,
> >> Is the policy you describe officially documented, or just current
> > I don't know, at least it's the current behavior, but I don't know if
> > it's a policy :/
> Yes, this is part of the Vulnerability Treatment Policy , listed
> under the "Security Bug Wrangler role" in Chapter 3.
> >> In KDE and Qt herds for example, we usually just unCC ourselves when
> >> we've taken the required action.
> >> Best regards,
> >> Michael
> The security bug process  involves removing the vulnerable versions
> from the tree after all arches are finished stabilizing. This is to
> ensure that users do not accidentally install vulnerable software. Many
> maintainers do not do this and I think that all of us on the security
> team are guilty of not always following up to ensure the vulnerable
> versions are dropped. As Jeroen mentioned, how will maintainers know
> when to remove the vulnerable versions if they are not current on the bug?
> If stabilization is complete and the maintainers have removed vulnerable
> versions from the tree, there is typically no issue with unCC'ing
> themselves like KDE/Qt herds do.
> Arches sometimes run into minor issues that don't warrant opening a new
> bug - they should be able to get help from maintainers without re-CC'ing
> If a decision were made to unCC maintainers, there would probably be
> some maintainers/herds that want to be left on the CC list and the
> security team does not have the capacity right now to keep up with
> (Strictly my opinions, not that of the whole security team)
>  http://www.gentoo.org/security/en/vulnerability-policy.xml#doc_chap3
>  http://www.gentoo.org/security/en/coordinator_guide.xml#doc_chap3
OK, then, looks like the policy could be that, once all arches are done,
maintainers cleanup ebuilds and unCC themselves, that way, if they are
still getting mails from bug report is because they forgot to remove
vulnerable versions and, if not, is because all their work was finished.
Are you ok with this policy?