On 10/04/14 14:58, Matthew Miller wrote: > On Thu, Apr 10, 2014 at 03:55:17PM +0200, Miloslav Trmač wrote: >> Looking back, how many times in the past years would we have used that >> signal? Once in 3 years? 5 years? If we now collect the contact >> information and volunteers, is it at all likely that the information will >> still be correct and relevant by the time we need to use it again? > Good question. I think "at least once" is sufficient answer, though. :) > > Maybe the system could come with a reminder to keep info current in some > way? > I think the most important thing is to keep not only the maintainers informed, but also our general users. Including giving them. mitigation advice and explaining exactly what the problem is or was. Regarding the OpenSSL issue. This was such a serious security breach, even admins should have been given advice. I would really like to see upstream investigate too, how this breach could occur in the first place. Who made those commits and what review they have for commits. I had a look around to see what upstream does or where to get/see commits. Not exactly easy to find these things out. Another issue this raises is, now that everyone uses github, what security record does github have ? Can they be influenced in any way by government agencies/departments or other groups ? Who vets committers or commits to projects. With regards to our handling of the issue, I thought it was great Robyn sent out emails on the announce list. Maybe something we should have done is make a prominent security section for notices on the fp.o site. I must also say, the response time was quite good too, looking at package build times, compared to the time when I was informed of the issue. The only problem were the mirrors not syncing up fast enough, which makes me wonder if we should dump security fixes into a sub-directory in updates, which mirrors could sync up faster. Just a few thoughts here. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security
