Re: Security reviews for new packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11 Nov 2008 09:51:23 -0600
Jason L Tibbitts III <tibbs@xxxxxxxxxxx> wrote:

> I do many package reviews, and occasionally I see a package that is
> fine packaging-wise but which I don't feel comfortable approving
> because I know it has security implications.  One such package is
> schroot, which has some pam magic to allow users to set up chroots.
>   https://bugzilla.redhat.com/show_bug.cgi?id=447368
> 
> It's quite possible that I'm simply being overly paranoid, but of
> course I'm not qualified to say one way or the other.  Is it possible
> for someone with more knowledge in this area to take a look at the
> package?  What would be needed?  (Perhaps a scratch build, or are the
> src.rpm and spec sufficient?)

I'm no expert, but I could take a look I suppose. 

> Could we work out a simple procedure for doing this in the future?

How about we make a F_SECURITY_REVIEW tracker bug, and any review that
needs extra security attention is made to block that bug. We can add
this list to that blocker to notify everyone here to take a look?
(It's worked for LEGAL I think, so I would hope it works for security
reviews as well). 

Thoughts?

>  - J<

kevin

Attachment: signature.asc
Description: PGP signature

--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux