On Fri, 28 Apr 2006 17:50:36 +0200, Ralf Corsepius wrote: > On Fri, 2006-04-28 at 17:12 +0200, Michael Schwendt wrote: > > On Fri, 28 Apr 2006 14:29:49 +0200, Ralf Corsepius wrote: > > > > > Or to put it differently: I think you are mixing 2 completely > > > independent issues: > > > * Regular maintenance of "legacy" packages the "nominal maintainer" in > > > current has abandoned to actively maintain. > > > * Security response. > > > > Well, I tried to separate these two. But others didn't like the idea of > > a "Fedora Extras Legacy Team" (= the combined set of Fedora Extras > > Contributors who still support old legacy branches). Currently I still > > don't _who_ would maintain old legacy packages, if not the Fedora Extras > > Security Response Team. > > I think we are still talking pass each other. I don't think so. ;) > Let me try to give an > (worst case) example of what I am talking about: > > "Maintainer" once submitted a package when FC3 was "devel", The package > had been build for FC2, too. Meanwhile, FC5 is out, devel is future FC6. > "Maintainer" has switched to actively using FC5 and therefore is not > actively using Fedora < 5 anymore. This is not a worst case, this is pretty normal. IMO. Scenario: "FC5 has just been released. Packager's primary machine is upgraded to FC5. FC4 is abandoned. FC3 even more." I'm aware that some packagers use mock to test-build their packages for older dists. I'm also aware that some use multi-boot environments or virtual machines to do run-time tests. But often, overall package quality suffers when package maintainers no longer use the old distributions regularly. > He therefore releases upgrades for "FC5" and "devel", but skips anything > older than FC4. Now he has a sudden accident sending him to hospital for > 2 months - Nobody notices. Which is what we've experienced several times before. Not in form of an accident, but packagers "dropping off" silently, leaving behind open bugzilla tickets and orphaned packages. > Now, somebody (outside of Fedora) finds a severe exploit with this > package, affecting all versions from FE2 through "devel". ... and submits a bug report which goes unnoticed unless some of us skim over all new reports (or at least try to, which is very difficult, since _old_ reports moved from one Product to another may be missed) and add these to the tracker bugs. > Questions: What will happen next, and who will perform which kind of > action? We needed policies, so either a) an official team inside Fedora Extras gets the power (= the privileges) to intervene, or b) arbitrary FE Contributors can intervene in accordance with policies. This is not just about security vulnerabilities. It can also happen that a critical bug in a popular package doesn't get fixed, because the package owner seems to be unavailable (or is known to be unavailable). > First of all, somebody in Fedora will has got to know about this > exploit. As you can't expect packagers to follow all potential security > list, and given the fact security issues often a kept secret, getting to > know about security issues isn't necessarily easy. > > Then, somebody will have to implement a fix, and to apply it. In some > case, such fixes will be available from external sources, in some cases > the packager will be able do develop a fix himself, but one can't rely > on either of these possibilities. > > At this point the question of "Who does what?", i.e. coordination and > responsibilities, comes into play. ATM, Legacy should fix FE2, the > packager would fix FE5 and devel, may-be he would try to fix FE4 - FE3 > would stay vulnerable. Yes, this is why this needs coordination and monitoring. Best performed by people who focus on these things. Instead of random contributors who notice a bug report and only fix "part of the mess". > As he had an accident, probably nothing would happen, until somebody > starts shouting loudly. > > Therefore, I say: We need a "Security Task force", monitoring security > lists, assisting in providing fixes, taking actual action regardless of > package ownership, when necessary. > > If one brings this thought to an end, you'll notice that the situation > becomes even more difficult, when considering packagers outside of FE, > such as Core or Legacy - In my opinion, it substantially questions this > split. Have you seen my earlier posting? (Date: Fri, 28 Apr 2006 11:31:33 +0200) No reply to it yet. -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
