Get Gentoo!
Development Guide
  1. Master index
  2. General concepts

Security

Maintainer expectations

Bug reports

Maintainers are expected to a file a bug on Bugzilla under the Gentoo Security product's Vulnerabilities component if a security vulnerability (even without a CVE assigned) affects their package.

While the Gentoo Security project makes an effort to monitor CVE feeds, that is not a substitute for project-specific communications about vulnerabilities in release notes or other channels. Information often (though not always) eventually appears in CVE feeds, but usually with a significant delay.

Triage of the bug and filling out of the Bugzilla whiteboard is appreciated but not required for the package maintainer.

For such bug reports, the bug summary should reflect the first fixed version in the Gentoo repository, not the first fixed version released by upstream. This means unpackaged versions should not be in the title.

Fixed versions of packages

Upstream releases fixing security issues in a package should be packaged as soon as possible.

Similarly, releases fixing (ideally exclusively) security problems should be stabilised on an expedited basis. The maintainer is expected to indicate how long is needed to wait for stabilisation or file the stabilisation bug themselves, making it block the security bug.

When committing a new ebuild to resolve a security issue, please refrain from making unnecessary changes to the ebuild or functionality: instead add a new ebuild revision later with unrelated changes if a new, non-security release is not anticipated any time soon.

For critical bugs, stabilisation is usually requested within 24 hours. For less serious bugs, consider the default timeline to be 7-14 days.

Be aware that upstreams are often under pressure to release fixes quickly, occasionally resulting in regressions: hurried stabilisation should be balanced against the severity of the reported vulnerabilities and the damage that could be done from a resulting regression.

For example, a mild security vulnerability in a networked authentication daemon, requiring special configuration to trigger a Denial of Service, might warrant waiting a couple of days if the fix touches generic code, meaning regressions could harm users outside of a fringe configuration.

Upstream regressions from security fixes mean that old versions shouldn't be cleaned up aggressively. Security fixes have been known to break user workflows even when upstream don't view the change as a regression or a bug.