On Tue, May 11, 2010 at 04:38:53PM +0530, Rahul Sundaram wrote: > On 05/11/2010 03:43 PM, Daniel P. Berrange wrote: > > > > Do we have a security team who evaluate security issues that are filed > > against any package, and who have the privileges to immediately fix the > > CVE should the maintainer not be responsive enough wrt the severity of > > the security problem ? We shouldn't have security fixes blocked on the > > unreponsive maintainer process. Proven packagers obviously have suitable > > CVS commit privileges to make the changes, but do any of them actively > > monitor for security issues & address them ? > > > > Yes. Security team did monitor and filed the security issue but they > don't do commits and builds and there is no team outside of them taking > care of these issues. It would be great to take care of this. This seems like rather a major shortcoming in our processes. A security team whom can merely file bugs & has no power to ensure security flaws are fixed in a timely manner is not good for Fedora. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
