There are various weird things about security bug handling in Gentoo that make security bugs and the vulnerability handling process in general hard to grok by an outside observer, or by scripts/automation, as well as problems such as antiquated documentation or tooling. Here, I seek to track the state of various movements towards bettering this situation.
Reworking security bug assignment
Mostly deferred due to the need to implement in various tooling.
Ending the "1/20" rule
This is completely arbitrary (because we cannot measure popularity) and it does not make sense to base bug/GLSA severity on how popular a package is.
Properly defining sets of packages which aren't security-supported
WIP wiki section for security@ project page
More work needed to find a succinct wording, but the gist is that we want to note that Firefox/Chromium derivatives are not *necessarily* security supported.
Documentation needing update
All pages under the www.g.o page Padawan process is completely outdated
Stabilization detached from security bugs
Proposed by mgorny, announced as policy on gentoo-dev
Disbanding of security-kernel and security-audit
Completely unecessary, only added unecessary complexity to security@ structure.