On Tuesday 11 May 2010 18:51:08 Kevin Fenzi wrote: > On Tue, 11 May 2010 15:37:51 +0200 > > Jaroslav Reznik <jreznik@xxxxxxxxxx> wrote: > > On Tuesday 11 May 2010 13:08:53 Rahul Sundaram wrote: > > > On 05/11/2010 03:43 PM, Daniel P. Berrange wrote: > > > > Do we have a security team who evaluate security issues that are > > > > filed against any package, and who have the privileges to > > > > immediately fix the CVE should the maintainer not be responsive > > > > enough wrt the severity of the security problem ? We shouldn't > > > > have security fixes blocked on the unreponsive maintainer > > > > process. Proven packagers obviously have suitable CVS commit > > > > privileges to make the changes, but do any of them actively > > > > monitor for security issues & address them ? > > > > > > Yes. Security team did monitor and filed the security issue but they > > > don't do commits and builds and there is no team outside of them > > > taking care of these issues. It would be great to take care of > > > this. > > > > Would be great to have similar team - I've already did update for > > them as provenpackager (unmaintained orphaned package - > > mod_auth_shadow) but I wasn't sure about my responsibilities for this > > update. Some clarification would be great (I'm not talking about > > another policy just recommended practice). > > We do have: > https://fedoraproject.org/wiki/Who_is_allowed_to_modify_which_packages Ok, thanks! That was what I was looking for. I wasn't sure what are my responsibilities. > I would love to have a provenpackager security team that helps apply > security fixes in a timely manner. As I said - I've already helped security team, so count me in too. It does not have to be special provensecuritypackagers team but more likely just a list of people who are willing to help with security issues, security people know them and thus they can be in touch when it's needed. Would be great to CC some people from security response team (I'm not sure about interconnection between RH & Fedora people there, I'll try to poke them). Jaroslav > kevin -- Jaroslav Řezník <jreznik@xxxxxxxxxx> Software Engineer - Base Operating Systems Brno Office: +420 532 294 275 Mobile: +420 602 797 774 Red Hat, Inc. http://cz.redhat.com/ -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel