On Fri, 2006-01-13 at 15:15 -0600, Josh Boyer wrote: > > Because I maintain a package (denyhosts) which contains a daemon that > > runs continuously as root, the issue of how to handle security fixes > > for packages in extras interests me greatly. > > > > Some questions: > > > > Is there any defined procedure for handling security fixes? > > No. > > > What if the maintainer is out of pocket? > > Others with CVS access should make the fix in cases like this. > > > If I need to push a security fix, is there a way to jump ahead in the > > build queue and expedite the sign and push process? > > Not that I know of. Expediting the sign/push process could be done by > asking someone with access to the buildsys to do the push I suppose. > > > Is there somewhere I could send an update announcement? > > Here is the best place I think. There is no fedora-extras-announce list. > > Now the real question is, should there be some sort of defined policy for > security fixes? > I'd be game with making a extras-security alert address that had the package signers and some other security folks on it so we could expedite things if need be. but a private list, for obvious reasons. -sv
