Re: Fedora Extras Security Response Team

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 05 April 2006 18:14, Dennis Gilmore wrote:
> > Does Fedora currently post their updates and advisories to a webpage
> > anywhere? Before we worry about that, lets at least get to the level that
> > Fedora Core is at, then go beyond.  Little steps can lead to a long way.
>
> Fair enough.  I think core just uses fedora-announce   so  thats a start.  
> what is needed so that SIG members can post to fedora-announce?

I just approve the posts.  I have the list password.  However I don't 
currently get notices when something needs to be approved, I know when as I 
pull the trigger on the Fedora updates and various other Fedora announces.  
So basically I either get those notices, or we get the announcements CC'd to 
the security-list as a trigger for me to go approve them.  I'll double check 
policy w/ the Fedora board, but I'm pretty sure they're cool with this.

> > > as far as maintainers dropping support  there is the wiki and
> > > fedora-extras
> > >
> > > for now i guess we could ask legacy  to include some of the SIG members
> > > in with their embargoed email list.
> >
> > We don't really have much of a SIG, and what did you mean by 'embargoed
> > email list' ?
>
> Non public security reports.   however it is  that you get them. I should
> be more involved with legacy  as i use it for a few systems.

Ah ok.  I applied for and got accepted into Vendor-Sec, the vendor security 
notification email list.  We could nominate one person or so to be on there 
for Extras.  I serve as a filter for Legacy, when there are things related to 
Legacy packages I forward them on to our Legacy builder team.  Before we 
start doing pre-notifications, we need to define a private bugzilla group so 
that we can file bugs in private and not have public view.  Unfortunately we 
don't have the ability to do embargo CVS branches within Extras ATM, 
something we should bring up to FESCo to rectify so that we can generate 
packages and such prior to embargo date.  This is a big hairy thing, we 
should concentrate on how we handle publicized issues first, then move into 
pre-notification.  Again, small steps.

-- 
Jesse Keating
Release Engineer: Fedora

Attachment: pgpI6WsJ29ON8.pgp
Description: PGP signature


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux