On 03/12/2017 11:05 PM, Alexis Ballier wrote: >> The severity levels and timelines are already defined in the >> referenced vulnerability treatment policy. We might be able to >> incorporate this suggestion by stronger reference to that for >> timeline, but in the end that should be the internal policy anyways. > > To me, this is the only thing that is *not* internal here. > > You have a target delay X. What happens after X expires ? After 2X ? > 10X ? When is it right for sec. team to intervene ? When is it right > for sec. team to intervene after maintainer has asked for a delay ? When > is it right for sec. team to intervene against maintainer wishes ? > > I'm pretty sure you have a good idea of when sec. team should act, and > you're right in the sense that severity analysis does not belong to the > GLEP, but something referencing your treatment policy and explicitly > stating in the GLEP that (any member of) sec. team is allowed to take > action after some multiple (possibly one) of the target delay would be > more clear and avoid entirely having the lead to take a decision every > time.
makes sense, will try to write up some more info on this in GLEP, while still referencing the vulnerability treatment policy for the actual information as that needs to be possible to update from time to time. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
signature.asc
Description: OpenPGP digital signature
