SVG:EGI MW Unit View
|Main page||Software Security Checklist||Issue Handling||Advisories||Notes On Risk||Advisory Template||RAT/Membership||Documents||Assessment||Secure Coding||Info for SVG members|
EGI MW Unit View
The majority of the Grid middleware deployed in the EGI infrastructure is released as part of the EGI Unified Middleware Distribution UMD. Hence the EGI Middleware Unit, who distribute software in the UMD will need to interact with the EGI SVG.
The EGI Middleware Unit will be alerted when a Risk Assessment is Complete
Representatives of the EGI middleware unit, as agreed with SVG will be informed by e-mail after a Risk Assessment has taken place. The contacts have been agreed. The e-mail will include the Risk category and Target Date for resolution, and a link to the vulnerability in the EGI Request Tracker. These agreed contacts will be able to view this item in the Request Tracker.
The EGI Middleware Unit ensures the vulnerability is fixed in time for the Target Date
The EGI middleware unit and the software provider will need to co-ordinate to ensure that a new version of the software, with the vulnerability fixed, is available on or before the Target Date. This must be available for widespread deployment in the EGI infrastructure.
In some cases, such as if issues are categorized as High or Critical Risk, and emergency release may need to be made.
The EGI Middleware Unit informs SVG when about to release a version which fixes a vulnerability
The EGI Middlware Unit should inform SVG when they are about to make a release which fixes a vulnerability. The simplest way to do this is via the Request Tracker, by adding a comment to the item for the specific vulnerability. This allows SVG to complete the advisory as appropriate and refer to the release version.
The EGI Middleware Unit ensures the release notes refer to the advisory
The advisory should refer to the release, the release notes refer to the advisory.