>>>>> "JB" == Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxxx> writes: JB> Others with CVS access should make the fix in cases like this. This is a difficult issue, though. Take a current example: clamav. I'm not trying to pick on the clamav maintainer at all; this just happens to have piqued my curiosity about the process. Currently extras has 0.87.1, which is supposedly remotely exploitable. 0.88 was released on Jan 9. The maintainer did check the new version into all branches immediately, but currently only the development branch has been built. I have CVS access, so in theory I could tag and submit a build request. But there must be some reason why it hasn't built on the release branches yet. So I opened a bug (177761) and built the packages locally for testing. (They seem to be running fine, BTW.) So, assume for the sake of argument that the maintainer doesn't respond to the bug. At what point does someone need to take action? Who takes that action? JB> There is no fedora-extras-announce list. Does this strike anyone else as a bad idea in the long run? extras-list is too high-volume to expect people to watch for security releases, and I doubt Red Hat wants to open up the more official announcement lists to the likes of me. JB> Now the real question is, should there be some sort of defined JB> policy for security fixes? I think there has to be; the users deserve that much. - J<
