On Tue, 14 Mar 2017 19:55:44 -0400 Yury German <bluekni...@gentoo.org> wrote:
> > On Mar 12, 2017, at 4:14 AM, Alexis Ballier <aball...@gentoo.org> > > wrote: > > > > > > Also, it'd be nice to have something more formal for sec. cleanup: > > "After 30 days a sec. issue has been fixed, sec. team is free to > > cleanup old vulnerable versions.". I've seen too much pings by sec. > > team members on old bugs for this and they could have spent the same > > amount of time simply doing it instead. > > > Alexis, here is a problem that I have noticed over the years. > Everyone is short on time, but if the developers do not step in (and > only some) and clean up the packages then we might as well make this > another job for Security team as everyone will just leave it to > security. > > Security looks at every security bug, and needs to do a lot of things > behind the scenes. GLSA writing, look for CVE’s if not there, assign > them to bugs in the CVE system used for GLSA’s. If no CVE’s exist > communicate with upstream to see if it was requested, if not > requested request it on their behalf and work with MITRE in getting > it assigned. When you multiply that time over the 100+ security bugs > at any time. Cleanup is not a 5 second thing as for me typing three > characters to have that bug be submitted with that comment. > > The maintainer also knows the package, dependencies, other bugs > filed, etc. Removing things for your packages might be simple, but it > is not the same across all packages and that is the reason we ask the > Maintainers to take an active step in cleaning up. Agreed, but I was under the impression that sometimes sec. team was waiting for cleanup to close a bug. If you've just done the analysis that it is the only thing left, just do it and close the bug, instead of pinging on the bug and re-do that analysis in a later pass. This reduces context switches and makes everything more efficient :)
