Skip to content

general-concepts/security: new page #385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gentoo-bot merged 1 commit into from
Jan 25, 2026
Merged

general-concepts/security: new page #385

gentoo-bot merged 1 commit into from
Jan 25, 2026

Conversation

@thesamesam
Copy link
Member

@thesamesam thesamesam commented Dec 20, 2025
edited
Loading

A lot of this was previously unwritten and/or scattered across the wiki.

See also:

Note that those pages could do with a refresh as well, but one thing at a time.

@thesamesam thesamesam force-pushed the security branch 2 times, most recently from b7f9731 to d0dc3e1 Compare December 20, 2025 06:11
ulm
ulm reviewed Dec 20, 2025
View reviewed changes
Copy link
Member

@ulm ulm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"Ebuild maintainance" seems an odd place for this, when the word "ebuild" doesn't even occur in the whole chapter.

I wonder if this shouldn't go under "General concepts" instead?

@thesamesam
Copy link
Member Author

thesamesam commented Dec 20, 2025

"Ebuild maintainance" seems an odd place for this, when the word "ebuild" doesn't even occur in the whole chapter.

I was thinking of it in terms of "one's duties when maintaining a package/ebuild". I could use the term ebuild in a few places but I don't want to jam it in either. Let me review and see..

But I do not object to "General concepts", just explaining why I chose this.

@ulm
Copy link
Member

ulm commented Dec 20, 2025

I could use the term ebuild in a few places but I don't want to jam it in either.

No, I'm not at all asking for this. 😄 That the term "ebuild" is missing in the present version was an indication for me that there might be a better place for the page.

@thesamesam thesamesam force-pushed the security branch 2 times, most recently from 732ed7c to 5af9af2 Compare December 20, 2025 07:08
@thesamesam thesamesam changed the title ebuild-maintenance/security: new page general-concepts/security: new page Dec 20, 2025
ulm
ulm reviewed Dec 20, 2025
View reviewed changes
@orlitzky
Copy link
Contributor

orlitzky commented Dec 20, 2025

Please explain (or link to) the format of the bug title so that you don't have to correct me every time 🙏

@thesamesam
general-concepts/security: new page
c59b2c4 
A lot of this was previously unwritten and/or scattered across the wiki.

See also:
* https://www.gentoo.org/support/security/vulnerability-treatment-policy.html
* https://wiki.gentoo.org/wiki/Project:Security/GLSA_Coordinator_Guide

Note that those pages could do with a refresh as well, but one thing
at a time.

Signed-off-by: Sam James <sam@gentoo.org>
@thesamesam
Copy link
Member Author

thesamesam commented Jan 25, 2026

Please explain (or link to) the format of the bug title so that you don't have to correct me every time 🙏

That's partly what inspired it but it's long overdue :)

I've currently got this in there:

+<p>
+For such bug reports, the bug summary should reflect the first fixed
+version in the Gentoo repository, not the first fixed version released
+by upstream. This means unpackaged versions should not be in the title.
+</p>

I can tweak that if you want, maybe with an example but dunno if that's too verbose or not. If it would be helpful I can add it.

@gentoo-bot gentoo-bot merged commit c59b2c4 into gentoo:master Jan 25, 2026
1 check failed
@thesamesam thesamesam deleted the security branch January 25, 2026 02:24
@orlitzky
Copy link
Contributor

orlitzky commented Jan 26, 2026 

+<p>
+For such bug reports, the bug summary should reflect the first fixed
+version in the Gentoo repository, not the first fixed version released
+by upstream. This means unpackaged versions should not be in the title.
+</p>

I can tweak that if you want, maybe with an example but dunno if that's too verbose or not. If it would be helpful I can add it.

What if there is no fixed version in ::gentoo, or at all?

@thesamesam
Copy link
Member Author

thesamesam commented Jan 26, 2026

Unversioned, so "app-misc/foo: use-after-free".

How about:

Security issues for packages with no fixed ebuilds available should have an unversioned title. For example, a use-after-free which is fixed upstream in a new yet-unpackaged release of app-misc/foo would have a title: "app-misc/foo: use-after-free".

Feels a bit wordy so suggestions welcome..

@orlitzky
Copy link
Contributor

orlitzky commented Jan 26, 2026

I'm half-asleep so this will be no good, but it feels like the whole thing can be covered by two cases (and a brief note that the usual convention is not followed)?

In other contexts the affected package name and version would be included in the summary of a bug, but please be aware that these security bugs do not follow that convention. For security bugs: if a fixed version is already available in the Gentoo repository, include that fixed version number in the bug summary; otherwise, do not include any version numbers at all.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ulm ulm ulm left review comments

+1 more reviewer

@graaff graaff graaff approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@thesamesam @ulm @orlitzky @graaff @gentoo-bot