On Fri, 2006-04-28 at 17:12 +0200, Michael Schwendt wrote: > On Fri, 28 Apr 2006 14:29:49 +0200, Ralf Corsepius wrote: > > > Or to put it differently: I think you are mixing 2 completely > > independent issues: > > * Regular maintenance of "legacy" packages the "nominal maintainer" in > > current has abandoned to actively maintain. > > * Security response. > > Well, I tried to separate these two. But others didn't like the idea of > a "Fedora Extras Legacy Team" (= the combined set of Fedora Extras > Contributors who still support old legacy branches). Currently I still > don't _who_ would maintain old legacy packages, if not the Fedora Extras > Security Response Team. I think we are still talking pass each other. Let me try to give an (worst case) example of what I am talking about: "Maintainer" once submitted a package when FC3 was "devel", The package had been build for FC2, too. Meanwhile, FC5 is out, devel is future FC6. "Maintainer" has switched to actively using FC5 and therefore is not actively using Fedora < 5 anymore. He therefore releases upgrades for "FC5" and "devel", but skips anything older than FC4. Now he has a sudden accident sending him to hospital for 2 months - Nobody notices. Now, somebody (outside of Fedora) finds a severe exploit with this package, affecting all versions from FE2 through "devel". Questions: What will happen next, and who will perform which kind of action? First of all, somebody in Fedora will has got to know about this exploit. As you can't expect packagers to follow all potential security list, and given the fact security issues often a kept secret, getting to know about security issues isn't necessarily easy. Then, somebody will have to implement a fix, and to apply it. In some case, such fixes will be available from external sources, in some cases the packager will be able do develop a fix himself, but one can't rely on either of these possibilities. At this point the question of "Who does what?", i.e. coordination and responsibilities, comes into play. ATM, Legacy should fix FE2, the packager would fix FE5 and devel, may-be he would try to fix FE4 - FE3 would stay vulnerable. As he had an accident, probably nothing would happen, until somebody starts shouting loudly. Therefore, I say: We need a "Security Task force", monitoring security lists, assisting in providing fixes, taking actual action regardless of package ownership, when necessary. If one brings this thought to an end, you'll notice that the situation becomes even more difficult, when considering packagers outside of FE, such as Core or Legacy - In my opinion, it substantially questions this split. Ralf -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
