Quoting Jesse Keating <jkeating@xxxxxxxxxxxxxxx>: > On Thu, 2005-03-03 at 22:06 +0100, Daniel Roesen wrote: > > The problem is that people who take security serious can't wait weeks > > and months for security fixes to arrive from FL. And as that's > > (security > > fixes) all FL provides... That is a fair and valid complaint. > packages. Fedora Legacy is part of VendorSec now, however to really act > on any information I get from there, I would need to close community > access to the bug and communicate privately with a very very select few > about the issue. I'm torn on this. It would allow for potentially > faster and more coordinated packages, but the community would have a lot > less chance to do the QA and testing. It is a very hard thing to do. > What may happen is that we'll have testing packages ready at coordinated > announce time, for the community to QA so that we can release shortly > thereafter. Is anybody opposed to this strategy? It will still mean > private bugs in bugzilla until ready for announcement. I think that is a fine idea. The community wants quick updates. We also want open QA. I don't see a problem with someone creating a package before the bug is opened (or to a private bug report), for whatever reason. I still think anything would have to go through a public QA before being published. But I don't see why we can't get the people involved in the VendorSec part to create and validate the initial package. You just need to have as many people in the VendorSec loop as you need minimum votes to move the package to testing. > > For me, FL is only of value if I can save time by just installing FL > > RPMs instead of rolling my own security updates. But at least remotely > > exploitable vulnerabilities require *immediate* fix so people can't > > wait > > weeks and months for FL to get into gear. So one has to backport or > > install newer, fixed versions manually. So no time saved at all. Or buy a pay service such a that from Progeny. > > I'm surely NOT picking on the FL project. It's all free (as in "beer") > > after all, and the intentions are very noble. But it's IMHO a fact > > that > > current procedures (and probably lack of community manpower) lead to > > unacceptable delays which renders the whole project's point somewhat > > moot. Well, it renders the current value of it very low. But that doesn't mean it can't grow to be a quick, reliable project in the future. -- Eric Rostetter -- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
