--------------------------------- | Authors: klieber, koon, falco | | Revision: 20 sept 2007 | --------------------------------- Prepare your environment : - export CVS_RSH="ssh" - export CVSROOT="klieber@cvs.gentoo.org:/home/cvsroot" - cd /my/cvs/checkout/dir - cvs checkout gentoo/xml/htdocs/security - subscribe your xxxx@gentoo.org address to : > bugtraq@securityfocus.com > full-disclosure@lists.netsys.com - have a GPG key for your xxxx@gentoo.org address GLSA publication : - GLSAMaker a pool/ draft - peer-review until 2 (or more) approvals by full-devs and no rejection - "move" with the "move" link - 'Fetch' the xml and download the txt versions ("save-as") -> here, you have a frame-view.php file which contains the text version to be mailed, and a glsa-200XXX-XX.xml file, to be commited to CVS - go to your CVS repository, in security/en/glsa - cvs add, cvs commit - log message = GLSA 2004- (cvs ci -m "GLSA 200XXX-XX" glsa-200XXX-XX.xml) - prepare email : > From and Return-Path must be xxxx@gentoo.org, > Subject must be "[ GLSA XXXXYY-ZZ ] Your vulnerability here" > body must be only GLSA (the txt version) > email must be signed by the GPG key for your xxxx@gentoo.org address - send mail To:gentoo-announce@gentoo.org Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, security-alerts@linuxsecurity.com note: the gentoo-announce email will require moderation. you'll get an email about that -- just reply to it and you'll be fine. - Only reply to GLSA *you* have sent - Be careful with forwarding loops to g-announce, via bugtraq or full-disc: check the headers of the moderated mail. note: forum announcement is taken care of by forum moderators (for the moment) - Wait for the GLSA to appear on g-announce, then close the bug (RESOLVED/FIXED) - Preferably, wait for the GLSA to appear on g-announce before sending another one, we used to have trouble with lost GLSAs while sending several ones at the same time.