On Sun, Jan 07, 2007 at 12:07:05PM +0100, Thorsten Leemhuis wrote:
> * QA -- wwoods and his recruits (also (¹))
[...]
> (¹) -- FIXME -- the security team either needs to become a separate
> group or gets under the hood of the Package/Repo Group or the QA group
separate_group++;
The only reason I've heard in the past for not wanting to actively
pursue a Fedora Security Team was because if Fedora is pushing out
security updates faster than RHEL, it makes RHEL look bad to its
customers.
This is not a good enough reason IMO.
At the moment, all security updates require approval from the Red Hat
Security Response Team. With the new update system, this should most
likely change, and it would be nice to have our own security team to
do the approvals.
With the proper infrastructure, and overlapping security teams,
coordinating security fixes between the distros can be made trivial.
Some good reasons off the top of my head to have our own security team:
- allow Fedora to be an active contributor in the security world.
How many liaisons do we have on vendor-sec? How many hackers do we
have auditing our packages and infrastructure? Probably none in
both cases -- which should change.
- provide useful security advisories as opposed to an RPM changelog and
whatever notes the overworked developer feels like writing up.
Every other distro out there sends security advisories to bugtraq and
such. We push out plenty of security updates already, why not make it
known?
- help make sure security issues are fixed timely, by staying on top of
the devs and cracking the whip.
luke
_______________________________________________
fedora-advisory-board mailing list
fedora-advisory-board@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-advisory-board
_______________________________________________
fedora-advisory-board-readonly mailing list
fedora-advisory-board-readonly@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-advisory-board-readonly
