> On Mar 12, 2017, at 4:14 AM, Alexis Ballier <aball...@gentoo.org> wrote: > > > Also, it'd be nice to have something more formal for sec. cleanup: > "After 30 days a sec. issue has been fixed, sec. team is free to > cleanup old vulnerable versions.". I've seen too much pings by sec. > team members on old bugs for this and they could have spent the same > amount of time simply doing it instead.
Alexis, here is a problem that I have noticed over the years. Everyone is short on time, but if the developers do not step in (and only some) and clean up the packages then we might as well make this another job for Security team as everyone will just leave it to security. Security looks at every security bug, and needs to do a lot of things behind the scenes. GLSA writing, look for CVE’s if not there, assign them to bugs in the CVE system used for GLSA’s. If no CVE’s exist communicate with upstream to see if it was requested, if not requested request it on their behalf and work with MITRE in getting it assigned. When you multiply that time over the 100+ security bugs at any time. Cleanup is not a 5 second thing as for me typing three characters to have that bug be submitted with that comment. The maintainer also knows the package, dependencies, other bugs filed, etc. Removing things for your packages might be simple, but it is not the same across all packages and that is the reason we ask the Maintainers to take an active step in cleaning up.
