On Tue, May 13, 2008 at 12:45 PM, Greg DeKoenigsberg <gdk@xxxxxxxxxx> wrote: > > So I've been having a conversation with Mark Cox about the Debian/Ubuntu > SSL bug. This is basically a horror story of what can go wrong when > packagers don't maintain close relationships with upstream. I asked Mark, > "what security policies do we have in place to keep this from happening in > Fedora-land?" And his response was, "I don't know, what security policies > do we have in place to keep this from happening in Fedora-land?" > > We know that RHEL is secure and stable, and we *do* have safeguards in > place to prevent this from happening in RHEL-land. But a mistake like this > in Fedora-land would be every bit as bad for the Red Hat and Fedora brands. > > Are there any steps we can take to protect ourselves from this kind of > mistake -- in which a packager does something dumb to the package and no one > notices it? > Well the biggest step would be to add additional code review steps for packages... and probably trying to increase the number of 'code-monkeys' per package. However, I am not sure that is the best step... especially to the crowd that believes Fedora is too bureaucratic now. Would having a review release, where instead of trying to put in things as newer we worked on getting more eyes on the code make sense? How could it be done? Also, how many times does a patch get added because someone saw it in the 'Debian' or 'SuSE' trees and it looked like it 'fixed' something? -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" _______________________________________________ fedora-advisory-board mailing list fedora-advisory-board@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-advisory-board
