Package maintainers in both Fedora Core and Extras repository are
responsible for the security of packages they develop/maintain. However
Red Hat security response team does not keep track of all security
issues in Fedora Extras repository unlike Fedora Core to my
understanding.
Thanks for clarifying that.
There was a discussion here
https://www.redhat.com/archives/fedora-extras-list/2005-September/
msg00393.html.
Thanks for the link, it looks like the issues involved are being
discussed.
The package maintainers keep track of the security issues. There is no
reason not to trust the community packagers to do a less than excellent
job with it.
I did not mean to imply that any of the maintainers are not doing a
good job. As was pointed out in the linked Extras discussion, mistakes
can be made, or time constraints on a maintainer can effect the the
release of an update to rectify security issues. Most of us are humans
;)
All of Fedora Extras packages
takes advantage of various features in Fedora Core including
Exec-shield, FORTIFY_SOURCE fstack-protector etc in addition to SELinux
capabilities.
I did not mean to imply that using packages in Extras was a security
risk.
Even setting aside all the security features, there are several
advantages to using Fedora Extras in favor of tarballs or self packaged
RPMS.
My reference to using packages via tarballs or self-packaged software
was related to how I internally treat that software. I am personally
more vigilant of security issues with software that is not installed
via Fedora because I know I must shoulder that responsibility for that
software. I don't have a security team to make sure any issues are
dealt with, I'm the security team for the software I install on a
system that is not part of the distribution.
From the above Extras list discussion:
I believe many such installations and sysadmins do exist, and part of
the natural responsibility for such people would be to help the Extras
in fixing the packets at source.
That's me. From the above clarification I know I need to take a bit of
extra ( pun intended ) personal responsibility with packages from
Extras. Packages from Extras are there because of the community, and
the community ( me ) needs to put forth the effort to keep those
packages maintained.
Fedora Extras undergoes a package review process to ensure
consistency and better integration with Fedora according to the
specified guidelines
I in no way intended to bash Extras. However I do think some type of
written security/errata policy for Extras should appear on the Fedora
Project Wiki.
Charles Dostale
System Admin - Silver Oaks Communications
http://www.silveroaks.com/
824 17th Street, Moline IL 61265
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
