Tips for searching and filtering Security bugs

1. Bug Searching

For identifying all security-related bugs, use the bugzilla query page and set the following fields:

Component: select "Vulnerabilities"
Status: set this to the type of bug you want to search for (i.e. closed bugs, open bugs, etc.)

This will give you a list of all security bugs in our system. (or at least the ones that are properly assigned)

When a package has had a security patch applied, it typically needs to be tested before being marked stable on affected architectures. To identify all bugs where a particular arch needs to mark a package stable, use the query page and set the following fields:

Component: select "Vulnerabilities"
Status: set this to "New", "Assigned" and "Reopened" (i.e. don't search for bugs that are closed)
Email and Numbering: Any of: "CC list member" should be set to "contains <arch>@gentoo.org"

When a package gets patched and requires testing, the security team will CC all relevant arches on that particular bug and request that they test and mark the package as stable on their architecture. Thus, by using the search criteria described above, you'll be able to easily see what bugs require attention for a particular arch.

Important: To make this report effective, it's very important that arch teams remember to remove themselves from the CC list once they have stabilized a package.

Note: For unsupported arches, bugs may be closed without the package being marked stable on that particular architecture. Thus, developers for these architectures may wish to include closed bugs in their queries. (For an explanation of "supported" vs. "unsupported" architectures, please see the Vulnerability Treatment Policy.)

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.