Re: Summary of FC5test1 vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi



May I assume this has not been done for packages in Extras ?
Package maintainers in both Fedora Core and Extras repository are responsible for the security of packages they develop/maintain. However Red Hat security response team does not keep track of all security issues in Fedora Extras repository unlike Fedora Core to my understanding.
I could not find a reference to a security/patch/errata policy relating to Extras at 
<http://fedoraproject.org/wiki/Extras>
There was a discussion here https://www.redhat.com/archives/fedora-extras-list/2005-September/msg00393.html.
This is OK, but it means that I ( as a community member ) will need make more of an effort to stay on top of security issues in an Extras package on my systems. I can rely on established infrastructure to stay on top of those issues for packages in core. Extras packages will seem a bit more like applications installed via tarball, or self-packaged.
The package maintainers keep track of the security issues. There is no reason not to trust the community packagers to do a less than excellent job with it. After all those were the one who volunteered to maintain it in the first place. Additional eyes keeping track of potential security issues is helpful and you can notify the respective maintainers of any vulnerabilities through http://bugzilla.redhat.com, both for Fedora Core and Extras. Details available at http://fedoraproject.org/wiki/Security. All of Fedora Extras packages takes advantage of various features in Fedora Core including Exec-shield, FORTIFY_SOURCE fstack-protector etc in addition to SELinux capabilities. If its a public vulnerability you can also post to either the Fedora-devel (Core packages) or Fedora Extras list.
Even setting aside all the security features, there are several advantages to using Fedora Extras in favor of tarballs or self packaged RPMS. Fedora Extras undergoes a package review process to ensure consistency and better integration with Fedora according to the specified guidelines available http://fedoraproject.org/wiki/Extras. The repository is also enabled by default from Fedora Core 4 onwards. Future releases might even offer the capability to install these packages using Anaconda and so on. Hope that helps. 

regards
Rahul

--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux