From mboxrd@z Thu Jan 1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
by finch.gentoo.org with esmtp (Exim 4.60)
(envelope-from )
id 1QLh9b-00021H-Uh
for garchives@archives.gentoo.org; Sun, 15 May 2011 19:39:04 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id A48711C02F;
Sun, 15 May 2011 19:38:54 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
by pigeon.gentoo.org (Postfix) with ESMTP id 4C9631C02F
for ; Sun, 15 May 2011 19:38:54 +0000 (UTC)
Received: from flycatcher.gentoo.org (flycatcher.gentoo.org [81.93.255.6])
(using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 48E8E1B4013
for ; Sun, 15 May 2011 19:38:53 +0000 (UTC)
Received: by flycatcher.gentoo.org (Postfix, from userid 2235)
id 2511E20054; Sun, 15 May 2011 19:38:51 +0000 (UTC)
From: "Alex Legler (a3li)"
To: gentoo-commits@lists.gentoo.org
Reply-To: gentoo-dev@lists.gentoo.org, a3li@gentoo.org
Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en: coordinator_guide.xml vulnerability-policy.xml
X-VCS-Repository: gentoo
X-VCS-Files: coordinator_guide.xml vulnerability-policy.xml
X-VCS-Directories: xml/htdocs/security/en
X-VCS-Committer: a3li
X-VCS-Committer-Name: Alex Legler
Content-Type: text/plain; charset=utf8
Message-Id: <20110515193851.2511E20054@flycatcher.gentoo.org>
Date: Sun, 15 May 2011 19:38:51 +0000 (UTC)
Precedence: bulk
List-Post:
List-Help:
List-Unsubscribe:
List-Subscribe:
List-Id: Gentoo Linux mail
X-BeenThere: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt:
X-Archives-Hash: 2eddff319a7f4c5688e77aaf2a323d05
a3li 11/05/15 19:38:51
Modified: coordinator_guide.xml vulnerability-policy.xml
Log:
Updating Vulnerability Policy and Coordinator Guide
Revision Changes Path
1.26 xml/htdocs/security/en/coordinator_guide.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en=
/coordinator_guide.xml?rev=3D1.26&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en=
/coordinator_guide.xml?rev=3D1.26&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en=
/coordinator_guide.xml?r1=3D1.25&r2=3D1.26
Index: coordinator_guide.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/coordinator_guide.xm=
l,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- coordinator_guide.xml 30 Oct 2009 10:31:52 -0000 1.25
+++ coordinator_guide.xml 15 May 2011 19:38:51 -0000 1.26
@@ -14,6 +14,9 @@
Robert Buchholz
+
+ Alex Legler
+
=20
This document contains procedures, tips and tricks applying to the
@@ -24,8 +27,8 @@
=20
-0.8.8
-2008-05-09
+0.9
+2011-05-15
=20
Prerequisites
@@ -165,8 +168,7 @@
Kernel vulnerabilities are treated using a separate procedure. To easily
distinguish them from the other bugs, they are filed under the Kernel=
-category. Kernel bugs do not result in GLSAs but have their own publicat=
ion
-system (Gentoo KISS).
+category. Kernel bugs do not result in GLSAs.
=20
=20
-In [upstream] status, we wait for the fix version or a decent patch to
+In [upstream] status, we wait for the fixed version or a decent p=
atch to
appear. This status requires to regularly check upstream for information=
:
-development and announce mailing lists, websites, Bugs database, CVS whe=
n
-available, are all relevant sources of information. Unofficial patches m=
ust
-be taken into account only if the upstream developer does not react to t=
he
+development and announce mailing lists, websites, bugs database, VCS whe=
n
+available, are all other relevant sources of information. Unofficial pat=
ches
+must be taken into account only if the upstream developer does not react=
to the
vulnerability, and they must be thoroughly double-checked to ensure they
are not evil. When a fix version is announced or a patch is found, the b=
ug
-enters [ebuild] status.
+enters [ebuild] status.
=20
-If there is no reaction from upstream and no patch, we enter [upstream+]
+If there is no reaction from upstream and no patch, we enter [upstrea=
m+]
status. The only option here is to security-mask the vulnerable package
and issue a temporary GLSA if needed. See the policy for more details on=
the
security masking approval procedure. The status whiteboard should then b=
e
@@ -425,23 +424,24 @@
=20
-In [ebuild] status, we must identify the maintainer of the package, and
-summon him to commit a fix ebuild. Sources to identify the herd or devel=
oper
+In [ebuild] status, we must identify the maintainer of the packag=
e, and
+summon him to commit a fixed ebuild. Sources to identify the herd or dev=
eloper
responsible for maintaining a package are the metadata.xml file in the
directory of the package in portage and the Changelog file showing who d=
id the
-latest version bumps. You should Cc: the herd and/or maintainer responsi=
ble
-for the package on the bug and ask him to provide an ebuild for the fix
+latest version bumps. You should Cc: the herd and maintainer responsible
+for the package on the bug and ask him to provide an ebuild for the fixe=
d
version. You should periodically check that an ebuild wasn't committed
-to portage without any comment on the bug (it happens). When the ebuild
-appears, the bug enters [stable] status.
+to Portage without any comment on the bug (it happens). When the ebuild
+appears, the bug enters [stable] status.
=20
-If the maintainer doesn't show up, we enter [ebuild+] status. In case a =
fixed
-version is available, you should test if a simple version bump (renaming=
the=20
-ebuild to the version and emerging it) works. If only a patch is availab=
le, you
-should test if it applies cleanly. Then you should find a security bug w=
rangler
-with x86 commit rights to do the bump and mark the ebuild ~ for testing.
+If the maintainer doesn't show up, we enter [ebuild+] status. In =
case a
+fixed version is available, you should test if a simple version bump (re=
naming
+the ebuild to the needed/fixed version and emerging it) works.
+If only a patch is available, you should test if it applies cleanly.
+Then you should find a Security Team member with Portage tree commit rig=
hts to
+do the bump and mark the ebuild ~ for testing.
=20
@@ -449,7 +449,7 @@
the only option is to security-mask the unmaintained package and issue a
temporary GLSA if needed. See the policy for more details on the
security masking approval procedure. The status whiteboard should then b=
e
-flagged with masked and/or tempglsa keywords and bug severity set to
+flagged with masked and/or tempglsa keywords and bug sever=
ity set to
enhancement.
=20
@@ -460,11 +460,11 @@
=20
-In [stable] status, you have to determine what KEYWORDS the provided ebu=
ild
-needs before the GLSA can go out. This can be tricky. You have to consid=
er
-every version currently in portage so that the fix ebuild has equally=
or
-more stable keywords than any other packages in portage. Here is an
-example:
+In [stable] status, you have to determine what KEYWORDS the provi=
ded=20
+ebuild needs before the GLSA can go out. This can be tricky.
+You have to consider every version currently in portage so that the fix
+ebuild has equally or more stable keywords than any other package=
s
+in Portage. Here is an example:
=20
@@ -493,34 +493,29 @@
You can use http://packages.gentoo.org to help you determine
the needed KEYWORDS. If affected packages were removed by the package
-maintainer too early, you should use the
-CVS access
+maintainer too early, you should use our
+ViewVC
to dig in the Attic and look for old KEYWORDS.
=20
-Once determined (and noted for reference on the bug) the needed KEYWORDS=
,
-you should Cc: arch teams and ask them to mark the ebuild stable or ~
+Once you have determined (and noted for reference on the bug) the needed=
KEYWORDS,
+you should Cc: arch teams and ask them to mark the ebuild stable or test=
ing
accordingly. To make sure that the arch teams will pick the bug up, don'=
t forget
to add "STABLEREQ" to the bug's "Keywords" field. The arches alias are
archname@gentoo.org (x86@gentoo.org, ppc@gentoo.org...). All arches (inc=
luding
"unsupported" arches) must be called. But note that only "supported" arc=
hes (as
-defined in the policy) are needed before the bug can advance to [glsa] s=
tatus
+defined in the policy) are needed before the bug can advance to [glsa=
] status
You should periodically check for new keywords in the ebuild, as sometim=
es they
are changed without a comment in the bug. As soon as the required KEYWOR=
DS
-are in the ebuild for all supported arches, the bug enters [glsa] status=
.
-
-
-
-During a release preparation period you should also Cc: Release Engineer=
ing
-(release@gentoo.org) on all bugs with [stable] status.
+are in the ebuild for all supported arches, the bug enters [glsa]=
status.
=20
If the arch teams take too much time testing and changing the KEYWORDS, =
or
they refuse to mark stable a package due to outstanding problems, the bu=
g
-enters [stable+] status. We must track down arch-maintainers to have the=
m
-mark stable, help testing. You should also convince the arches that if t=
hey
+enters [stable+] status. We must track down arch maintainers to h=
ave them
+mark stable or help testing. You should also convince the arches that if=
they
discover a bug in the ebuild that already was in previous "stable" versi=
ons,
the ebuild should be marked "stable" anyway, even if it's not really sta=
ble,
as specified in the policy. If the KEYWORDS can't be met, the only other
@@ -535,23 +530,51 @@
=20
-In [glsa] status, the security bug is corrected. We need to issue the GL=
SA
+In [glsa] status, the security bug is corrected. We need to issue=
the GLSA
or close the bug without GLSA. The policy determines the cases where a G=
LSA
is needed and where a GLSA is not needed. There are also cases where a G=
LSA
-vote must take place to decide if a GLSA is needed ([glsa?] status).
+vote must take place to decide if a GLSA is needed ([glsa?] statu=
s).
If at least two Security Team members vote for "no GLSA", then no GLSA s=
hould
-be issued. The bug remains in [glsa] status until a GLSA is published.
+be issued. The bug remains in [glsa] status until a GLSA is publi=
shed.
=20
-When a GLSA is needed but nothing was sent, the bug enters [glsa+] statu=
s.
-It's the case when the assigned GLSA coordinator did not draft and/or
-made peer-reviewed and/or sent his GLSA. Other members of the Security T=
eam
-should take the lead at this point and finalize the GLSA.
+When a GLSA is needed but nothing was sent, the bug enters [glsa+] status.
+This is the case when there are delays during drafting, reviewing or sen=
ding
+the advisory. Any member of the Security Team should take the lead and f=
inalize
+the GLSA.
=20
+
+Bugs in [cleanup] status
+
+
+
+This status is not in order like the others. It is used to denote that t=
he
+maintainer needs to remove vulnerable ebuild versions in the tree.
+
+
+
+For example, the foo package has a vulnerability in versions earl=
ier
+than 1.23. The version 1.24 was added to Portage and is stable already
+(i.e. the stabilization was done before the security impact of the relea=
se was
+known), only old ebuilds need to be removed. The next status in this cas=
e would
+be [glsa] or [glsa?] depending on severity.
+
+
+
+Another use case might be when a package was updated, and all steps are =
done
+(i.e. a GLSA was sent or the team decided against sending one), but the
+vulnerable ebuilds should really be removed to avoid users accidentally
+installing them, the bug could be left open and set to the [cleanup]<=
/c>
+state. This is usually not needed tough, but may be used on a case-to-ca=
se base
+when the Security Team has an elevated interest in vulnerable ebuilds
+getting removed for whatever reasons.
+
+
+
Confidential vulnerability bug management
@@ -560,8 +583,8 @@
=20
-Confidential bugs should be following this pattern: "RATING [status]
-coordinator KEYWORD CRD", where:
+Confidential bugs should be following this pattern: RATING [status]
+KEYWORD CRD, where:
=20
@@ -581,11 +604,6 @@
[ebuild+]
-coordinator
-The nickname of the coordinator assigned to the bug, optional
-koon
-
-
KEYWORD
The confidentiality level of the bug, can be CLASSIFIED, CONFIDENTIA=
L, SEMI-PUBLIC
CLASSIFIED
@@ -631,13 +649,13 @@
=20
Confidential and classified bugs need extra care. The ebuild and files f=
ixing
-the vulnerability should NOT be committed to portage CVS, and no part of=
those
-bugs should ever be discussed in public. Patches or portage overlay tarb=
alls
-can be attached to the bug, though. Testers will have to setup their own
-overlay to test it.
+the vulnerability should NOT be committed to the Portage tree, and no pa=
rt of
+those bugs should ever be discussed in public. Patches or Portage overla=
y
+tarballs can be attached to the bug, though.
+Testers will have to setup their own overlay to test it.
The idea with those bugs is to prepare the ebuild and have it tested for=
the
coordinated release date, so that it can be released with all needed KEY=
WORDS
-together with the GLSA at the same time the issue goes public.
+together with the GLSA at the same time or shortly after the issue goes =
public.
=20
@@ -1201,3 +1219,4 @@
+
1.22 xml/htdocs/security/en/vulnerability-policy.xml
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en=
/vulnerability-policy.xml?rev=3D1.22&view=3Dmarkup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en=
/vulnerability-policy.xml?rev=3D1.22&content-type=3Dtext/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/security/en=
/vulnerability-policy.xml?r1=3D1.21&r2=3D1.22
Index: vulnerability-policy.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /var/cvsroot/gentoo/xml/htdocs/security/en/vulnerability-policy=
.xml,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- vulnerability-policy.xml 14 Apr 2009 00:06:25 -0000 1.21
+++ vulnerability-policy.xml 15 May 2011 19:38:51 -0000 1.22
@@ -14,6 +14,9 @@
Robert Buchholz
+
+ Alex Legler
+
=20
This document describes the policy used in Gentoo Linux to treat
@@ -25,8 +28,8 @@
=20
-1.2.7
-2009-04-14
+1.3
+2011-05-15
=20
Scope
@@ -45,7 +48,7 @@
=20
-For this reason, the security team separates Gentoo architectures into t=
wo
+For this reason, the Security Team separates Gentoo architectures into t=
wo
groups, supported and unsupported:
=20
@@ -106,34 +109,19 @@
-Release Engineering
-
-
-The Release Engineering ("releng") project appoints a developer to be th=
e
-primary point of contact for security issues.
-
-
-Release Engineering informs the Gentoo Security Project when a first tre=
e=20
-snapshot is taken for media releases. Beginning with the first snapshot =
until=20
-the official media release ("release preparation period"), Release Engin=
eering=20
-(the appointed security liaison in case of confidential issues) should b=
e cc'd=20
-on each security bug entering the stabilization phase.
-
-
-
-
Kernels
=20
-Currently kernels are not covered by the GLSA release process.
+Kernels are not covered by the GLSA release process.
Vulnerabilities must still be reported and will be fixed, but=20
-no GLSA will be issued when everything is solved.
+no GLSA will be issued when everything is solved.
=20
-This policy should be changed when new tools are added to cover
-security vulnerabilities affecting the different kernel sources.
+The kernel-check
+utility is being developed to provide Kernel security information.
+This policy should be updated accordingly when it is ready.
=20
@@ -148,13 +136,13 @@
newer (~ARCH) ebuild, but the older (stable) packages are not affected, =
or when
the package has never had any stable ebuilds in the tree.
In this case the vulnerability must still be reported and will be fixed,=
but=20
-no GLSA will be issued when everything is solved.
+no GLSA will be issued when everything is solved.
=20
This policy might be changed when our tools support more complex
upgrade paths and if a sufficient number of GLSA coordinators join
-the security team.
+the Security Team.
=20
@@ -174,7 +162,7 @@
security@gentoo.org).
Major security lists should have official scouts assigned to them which
should ensure that all vulnerabilities announced on these lists get a
-security bugzilla entry.
+security Bugzilla entry.
=20