This page is intended to provide useful resources for performing security project work in Gentoo (e.g. identifying vulnerable packages, finding bugs to triage).
See this page for sources of new release information.
- Note that it's very easy for a bug to get 'stuck' in one of these states, especially [upstream/ebuild] and [upstream].
- We need to check the references and/or ask the maintainer what their plans are if a patch exists.
- Waiting for an ebuild (upstream have released a fixed version)
- Patch available may want to wait for new release (ask maintainer)
- Waiting for upstream (may have been fixed since last checked, meaning we may change to upstream/ebuild or ebuild if a release was made)
- Waiting to stable (maintainer may or may not have told us to wait, sometimes we need to ping and ask if no comment from them and been a little while)
- Stabilisation (note that sometimes we need to ping arches if it's been a while, sometimes people forget to change the whiteboard to this, or sometimes stable is done and we need to change to cleanup)
Note that Repology isn't necessarily accurate: we may have patched vulnerabilities or already have open bugs, but it's a good sanity check.
We may need to create bugs for issues flagged up by this.