User:Ajak/Security Changes

From Gentoo Wiki
Jump to:navigation Jump to:search

Security Changes

There are various weird things about security bug handling in Gentoo that make security bugs and the vulnerability handling process in general hard to grok by an outside observer, or by scripts/automation, as well as problems such as antiquated documentation or tooling. Here, I seek to track the state of various movements towards bettering this situation.


Reworking security bug assignment

Mostly deferred due to the need to implement in various tooling.

gentoo-dev discussion

Ending the "1/20" rule

This is completely arbitrary (because we cannot measure popularity) and it does not make sense to base bug/GLSA severity on how popular a package is.

Properly defining sets of packages which aren't security-supported

WIP wiki section for security@ project page

More work needed to find a succinct wording, but the gist is that we want to note that Firefox/Chromium derivatives are not *necessarily* security supported.

Documentation needing update

All pages under the www.g.o page Padawan process is completely outdated


Stabilization detached from security bugs

Proposed by mgorny, announced as policy on gentoo-dev

Disbanding of security-kernel and security-audit

Completely unecessary, only added unecessary complexity to security@ structure.

security-kernel bug

security-audit bug