>>>>> "JB" == Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxxx> writes: >> What if the maintainer is out of pocket? JB> Others with CVS access should make the fix in cases like this. I believe we may have to test this. clamav in extras has what is potentially a remotely exploitable hole; an upstream update fixing the problem was released on January 9. I opened https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=177761 on Friday but it has elicited no response from the maintainer. The maintainer checked the new version into CVS (on all branches) immediately upon its upstream release and sent a build request on the devel branch (but not any of the release branches). I tested the CVS code on FC-3 over the weekend on my primary MXes and found no issues. This begs the following questions: How long should the community wait for the maintainer? Who should issue the build request? I'm really trying hard to avoid stepping on toes here. I think clamav is a fine package, but the maintainer seems to be away, we have what could be a bad security issue and I'm starting to get private mail asking about an updated build. (I assume that's because of the bug I opened or traffic on this list.) I honestly don't want to be the clamav maintainer; I just happened to see the Gentoo update come across bugtraq on Friday and became concerned about my own servers. - J<
