Project:Security/GLSAMaker Guide

This document is a guide to GLSAMaker2, the application used by the Gentoo Linux Security Project to create GLSAs. This guide is intended to new GLSAMaker2 users.

New Requests
Requests are new GLSAs without any fields completed. Requests can be created using the "New" tab. At least one bug must be provided and a title. A generic title will automatically be created based on the bug(s) entered. Clicking the generic title will populate the title field. Importing references will cause any CVEs linked through CVETool to be added to the references section of the GLSA. The request can be created as public or confidential.

Existing Requests
Existing GLSA requests can be found in the "Requests" tab. Any pooled GLSA request still needs to be drafted (see next session).

GLSA Edit Mode
Clicking a GLSA request from the "Requests" tab opens the GLSA in edit mode. Here, all fields should be filled out. Features in edit mode:

provided.
 * Clicking the template icon (red, blue, and green boxes) next to a field shows a drop-down menu with template options.
 * Clicking the document go icon (paper with blue arrow) for the description field fills it with the default "Multiple vulnerabilites" description.
 * Clicking the no workaround icon (bandage and red minus sign) for the workaround field fills it with the default "No workaround" text.
 * Clicking the resolution go icon (wrench with blue arrow) for the resolution field fills it with the default resolution text.
 * CVE references can be added without a URL by simply adding the CVE identifier in the title field. Upon saving, the URL will automatically be populated. All other references should have a URL
 * Clicking the bug number shows the GLSAMaker bug view, clicking [BZ] next to the bug number opens the bug in Bugzilla.
 * Comment flags (red flags) must be changed to done (green flags) in edit mode.

GLSA Drafts
A GLSA draft has all fields filled in and should be ready for review. GLSA drafts can be reviewed by adding a comment. For the GLSA draft to be bug-ready, it must contain [glsa] in the whiteboard. CVE identifiers linked to the bug(s) through CVETool can be added to the GLSA using the "Import references" button.

GLSA Release
A GLSA draft can be released with the "Release advisory" button after it has received the appropriate number of approvals. (Padawans will not be able to approve or release GLSA drafts). During the release process, the GLSA XML file can be downloaded to be added to CVS and the text file can be viewed to copy/paste into an email. Lastly, GLSAMaker2 can automatically close all the bugs assigned to the GLSA.

Released GLSAs can be edited through the "Archive" tab or by searching the GLSA. The re-release process is the same.