We need to be more clear about when we do security advisories and
what categorisation we use. This diff should start with addressing
that.
Details
Details
- Reviewers
- None
- Group Reviewers
secteam
Diff Detail
Diff Detail
- Repository
- rD FreeBSD doc repository - subversion
- Lint
No Lint Coverage - Unit
No Test Coverage - Build Status
Buildable 12389 Build 12665: arc lint + arc unit
Event Timeline
Comment Actions
Generally looks good. Mostly grammar nits and some clarification needed.
| en_US.ISO8859-1/htdocs/security/security.xml | ||
|---|---|---|
| 59 | This shouldn't be a new sentence, just merge it into the previous sentence. | |
| 66 | disclosure | |
| 70 | From should be capitalized for consistency. I think I would drop the trailing punctuation as these are sentence fragments. | |
| 80 | What does unassisted mean in this context? | |
| 88 | The last sentence seems rather negative. Should we say something like: "Items that are not on this list are looked into individually and it will be determined then whether or not it will receive a Security Advisory or an Errata Notice." And just drop the last sentence? | |
Comment Actions
I have updated all requested changes and I will be updating the diff to reflect that.
| en_US.ISO8859-1/htdocs/security/security.xml | ||
|---|---|---|
| 80 | Unassisted means that you can break into a kernel without needing helper tools. So for example that you can "jexec" directly into a running jail without additional need for ehm "Squid" running within the jail (just to name one random application). | |
| en_US.ISO8859-1/htdocs/security/security.xml | ||
|---|---|---|
| 68 | What does the "either" refer to? | |
| en_US.ISO8859-1/htdocs/security/security.xml | ||
|---|---|---|
| 68 | Perhaps that summary can be better like: From either:
Or something? | |
| en_US.ISO8859-1/htdocs/security/security.xml | ||
|---|---|---|
| 68 | "Either" implies one of two; probably From one of:
| |
Comment Actions
We ought to add some guidance on when how we handle issues - when they're kept secret until SA, vs committed to HEAD, MFC'd, and then rolled into a SA or EN.
Depending on the severity of the issue and on external constraints a patch may be (kept secret? embargoed?) until the SA is released. For lower severity issues the change may be committed directly to HEAD and merged to stable branches before appearing in a SA or EN.
| en_US.ISO8859-1/htdocs/security/security.xml | ||
|---|---|---|
| 85 | We should probably drop "very likely" since we give no indication of when it might not happen. Maybe just something like "A Security Advisory will be issued for (important? serious? exploitable?) issues that fall into one of these categories." | |
Comment Actions
We'll need to redo this after the Ascidoc conversion, there might be some outstanding items but we should at least do this as an interim step.