On Thu, 2005-03-03 at 22:06 +0100, Daniel Roesen wrote: > The problem is that people who take security serious can't wait weeks > and months for security fixes to arrive from FL. And as that's > (security > fixes) all FL provides... This is very true. It continues to be my main goal to get packages out quicker. One can say the same about distros like Red Hat and Debian, in that the time between a vuln being known and packages coming out may be too long for the really sensitive systems. Although, these distros communicate about vulns using VendorSec in a non-public way, and are able to coordinate the announcement of and therefor the release of packages. Fedora Legacy is part of VendorSec now, however to really act on any information I get from there, I would need to close community access to the bug and communicate privately with a very very select few about the issue. I'm torn on this. It would allow for potentially faster and more coordinated packages, but the community would have a lot less chance to do the QA and testing. It is a very hard thing to do. What may happen is that we'll have testing packages ready at coordinated announce time, for the community to QA so that we can release shortly thereafter. Is anybody opposed to this strategy? It will still mean private bugs in bugzilla until ready for announcement. > For me, FL is only of value if I can save time by just installing FL > RPMs instead of rolling my own security updates. But at least remotely > exploitable vulnerabilities require *immediate* fix so people can't > wait > weeks and months for FL to get into gear. So one has to backport or > install newer, fixed versions manually. So no time saved at all. Right. THere are those that don't rely on the vendor at all for security fixes, they do it themselves using source on the critical systems. There is no way to compete with the speed this can have. > I'm surely NOT picking on the FL project. It's all free (as in "beer") > after all, and the intentions are very noble. But it's IMHO a fact > that > current procedures (and probably lack of community manpower) lead to > unacceptable delays which renders the whole project's point somewhat > moot. For a lot of systems yes. For other less sensitive systems we still provide a good service. Especially for those who lack the manpower to take care of these things on their own. > Really, don't get me wrong, and thanks to all contributors for their > commitment. > > Just my 0.02 EUR. I do appreciate your feedback! -- Jesse Keating RHCE (geek.j2solutions.net) Fedora Legacy Team (www.fedoralegacy.org) GPG Public Key (geek.j2solutions.net/jkeating.j2solutions.pub) Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=jkeating -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
