On 07/06/2016 10:11 AM, Rich Freeman wrote: > On Wed, Jul 6, 2016 at 10:02 AM, Kristian Fiskerstrand <k...@gentoo.org> > wrote: >> On 07/06/2016 03:49 PM, Rich Freeman wrote: >> >>> I understand that. However, I just sometimes wonder whether that >>> approach makes sense. The result of the current system is that we >>> don't release GLSAs until well after a bug is fixed, sometimes after >>> months. >> It makes sense for long term server management where you don't want to >> update the full tree too often, but I agree GLSAs needs to be put out >> more timely >> > Another way to do it is to have a system like this: > 1. Vulnerability is logged into database. > 2. After embargo period (if any), entry is published. Tools > available to the user make them aware they have a vulnerable package > installed and the realtime status of whether a fix is available. > 3. Once a package is stable, the tools let the user auto-update the package. > 4. Once all archs are cleaned up, publish the GLSA by email as usual. > > So, this is like the current state, except tools like glsa-check use a > realtime-updated database (or at least one as up-to-date as the latest > sync) and not a database that is only updated after the last arch is > stable. We don't need to send users 14 emails as archs are > stabilized. But, the tools they likely would want to use do use the > latest info. > > Sure, in the early days it would just tell them they're vulnerable > with no suggested fix, since we don't have a fix yet. But, that is > still information the user can use to their advantage. > > Ideally the early phases of this would be tied into bugzilla so that > somebody isn't manually updating GLSA xml files every time something > changes. > (Speaking with my tools-portage lead hat on)
While I don't like touching glsa-check within gentoolkit, due to the nature of what it does. I will fully support and work with the security team on updating the tool if something like this is desired. Regards Paul