User:Ajak/Security Changes

From Gentoo Wiki
Jump to:navigation Jump to:search

Security Changes

There are various weird things about security bug handling in Gentoo that make security bugs and the vulnerability handling process in general hard to grok by an outside observer, or by scripts/automation, as well as problems such as antiquated documentation or tooling. Here, I seek to track the state of various movements towards bettering this situation.

TODO

Reworking security bug assignment

Mostly deferred due to the need to implement in various tooling.

gentoo-dev discussion

Ending the "1/20" rule

This is completely arbitrary (because we cannot measure popularity) and it does not make sense to base bug/GLSA severity on how popular a package is.

Properly defining sets of packages which aren't security-supported

WIP wiki section for security@ project page

More work needed to find a succinct wording, but the gist is that we want to note that Firefox/Chromium derivatives are not *necessarily* security supported.

Documentation needing update

All pages under the www.g.o page Padawan process is completely outdated

Done

Stabilization detached from security bugs

Proposed by mgorny, announced as policy on gentoo-dev