Project:Security/GLSAMaker Guide

From Gentoo Wiki
Jump to: navigation, search

This document is a guide to GLSAMaker2, the application used by the Gentoo Linux Security Project to create GLSAs. This guide is intended to new GLSAMaker2 users.

GLSA Creation

New Requests

Requests are new GLSAs without any fields completed. Requests can be created using the "New" tab. At least one bug must be provided and a title. A generic title will automatically be created based on the bug(s) entered. Clicking the generic title will populate the title field. Importing references will cause any CVEs linked through CVETool to be added to the references section of the GLSA. The request can be created as public or confidential.

Only GLSAMaker2 users with "Confidential member" access will be able to view the GLSA.

Existing Requests

Existing GLSA requests can be found in the "Requests" tab. Any pooled GLSA request still needs to be drafted (see next session).

GLSA Edit Mode

Clicking a GLSA request from the "Requests" tab opens the GLSA in edit mode. Here, all fields should be filled out. Features in edit mode:

  • Clicking the template icon (red, blue, and green boxes) next to a field shows a drop-down menu with template options.
  • Clicking the document go icon (paper with blue arrow) for the description field fills it with the default "Multiple vulnerabilites" description.
  • Clicking the no workaround icon (bandage and red minus sign) for the workaround field fills it with the default "No workaround" text.
  • Clicking the resolution go icon (wrench with blue arrow) for the resolution field fills it with the default resolution text.
  • CVE references can be added without a URL by simply adding the CVE identifier in the title field. Upon saving, the URL will automatically be populated. All other references should have a URL


  • Clicking the bug number shows the GLSAMaker bug view, clicking [BZ] next to the bug number opens the bug in Bugzilla.
  • Comment flags (red flags) must be changed to done (green flags) in edit mode.

GLSA Drafts

A GLSA draft has all fields filled in and should be ready for review. GLSA drafts can be reviewed by adding a comment. For the GLSA draft to be bug-ready, it must contain [glsa] in the whiteboard. CVE identifiers linked to the bug(s) through CVETool can be added to the GLSA using the "Import references" button.

GLSAMaker2 will not check for duplicate CVE references. Review the reference list for accuracy!

When a CVE is added, the official summary of the CVE will be displayed on the summary page. If the CVE comes up with a warning about not being in the database, find a reliable source that verifies the CVE (an oss-security request, Red Hat bug, etc.) and link that in a comment.

GLSA Release

A GLSA draft can be released with the "Release advisory" button after it has received the appropriate number of approvals. (Padawans will not be able to approve or release GLSA drafts). During the release process, the GLSA XML file can be downloaded to be added to CVS and the text file can be viewed to copy/paste into an email. Lastly, GLSAMaker2 can automatically close all the bugs assigned to the GLSA.

Released GLSAs can be edited through the "Archive" tab or by searching the GLSA. The re-release process is the same.

Common Mistakes

  • Not updating version numbers after adding a new bug
  • Forgetting to add/import CVEs from new bugs
  • Not capitalizing the product name in all fields (especially make sure to double-check the Resolution field after updating with new version numbers)