On Tue, 11 May 2010 15:37:51 +0200 Jaroslav Reznik <jreznik@xxxxxxxxxx> wrote: > On Tuesday 11 May 2010 13:08:53 Rahul Sundaram wrote: > > On 05/11/2010 03:43 PM, Daniel P. Berrange wrote: > > > Do we have a security team who evaluate security issues that are > > > filed against any package, and who have the privileges to > > > immediately fix the CVE should the maintainer not be responsive > > > enough wrt the severity of the security problem ? We shouldn't > > > have security fixes blocked on the unreponsive maintainer > > > process. Proven packagers obviously have suitable CVS commit > > > privileges to make the changes, but do any of them actively > > > monitor for security issues & address them ? > > > > Yes. Security team did monitor and filed the security issue but they > > don't do commits and builds and there is no team outside of them > > taking care of these issues. It would be great to take care of > > this. > > Would be great to have similar team - I've already did update for > them as provenpackager (unmaintained orphaned package - > mod_auth_shadow) but I wasn't sure about my responsibilities for this > update. Some clarification would be great (I'm not talking about > another policy just recommended practice). We do have: https://fedoraproject.org/wiki/Who_is_allowed_to_modify_which_packages I would love to have a provenpackager security team that helps apply security fixes in a timely manner. kevin
Attachment:
signature.asc
Description: PGP signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
