On 27/10/14 10:03 AM, Matthew Miller wrote: > On Mon, Oct 27, 2014 at 11:57:16AM -0400, Eric H. Christensen wrote: >> This seems to already be happening[0] on the package-announce >> list[1]. Security updates are being sent with [SECURITY] so I wonder >> if this is being done with topics. > > Oh cool -- it is. There are topics for every fedora release, plus > Security and "Newpackages". After subscribing, edit options here: > <https://admin.fedoraproject.org/mailman/options/package-announce> > > But we do still need to figure out a way to encourage people to write > better descriptions. That is a tough one to always get right because you need an intersection of package expertise and security expertise. E.g. I can write security descriptions until the cows come home, especially for things I understand, but you stick me in front of a reasonable complex kernel issue I'm gonna poke someone else for help so I don't mess it up. The flipside of this is there's like a top 10 or 20 vulns that account for the bulk of issues (e.g. buffer overflow, XSS) and are relatively easy to understand, confirm and describe. So if you're not shooting for 100% you can easily get to 80-90%, but then you run the risk of really bad things slipping out unnoticed or unmentioned ("Check for fishy environment" being a classic example, without a CVE I bet this would slip past most people =). One catch, AFAIK we have no training material for this (and I've never seen anything good publicly available), so if we want people to do the right thing, they'll need to be taught how. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Attachment:
signature.asc
Description: OpenPGP digital signature
-- security mailing list security@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/security