Project Talk:Security/GLSA Coordinator Guide

From Gentoo Wiki
Jump to: navigation, search

This text is a discussion to enhance the naming procedures so that it is clear: - Note this is the initial draft point, and should be refined.

Multiple Packages as part of Vulnerability / CVE

If there are multiple packages involved in the CVE('s) then the following rules should apply.

If the packages are part of the same package but have a minor difference (example bin package), then the difference should be included in brackets. Example category/package-name{,-bin} or for java it could be "dev-java/oracle-{jre,jdk}-bin".

If there are multiple CVE's then the following rules should apply. CVE-Year-Number. For multiple CVE's the numbers should be denoted in brackets. Example CVE-2013-{1234,1237,1239). If the year is different on the CVE’s then commas can be used to divide the year. Example: CVE-2013-{1234, 1237}, CVE-2014-{0005,0007}

Stable Candidate

When a stable candidate or fixed version is available in Portage (whiteboard is [stable], [glsa], or [cleanup]), the bug title is changed to indicate which versions of the package are vulnerable. In this instance, the bug title syntax will be:

<category/package_name-first_fixed_version: Description of Vulnerability or Impact (CVE...)

Note There should not be a space between the package name or version and the colon following it. See the next section for more about status whiteboard rules.

If a package contains multiple versions in slots, then the brackets should be used to denote multiple stable versions. Example: <category/package_name-{1.7,2.4}: Description of Vulnerability.