> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html > > Hans de Goede schrieb: > > This morning I've been working on fixing several security flaws in imlib2. > > When I was done with fixing and building these, I started writing a > > security update notification mail to send to fedora-package-announce@xxxxxxxxxx > > In the usual format for updates send to this list. > > [...] > > FESco, can you please mandate sending a mail to fedora-package-announce@xxxxxxxxxx for > > security related updates? > > I agree with the idea. Hans, can you or maybe someone else (from the > Security SIG, sorry, Response Team?) work out a proposal an integrate it > into > http://www.fedoraproject.org/wiki/Extras/Schedule/SecurityAnnoucements > (that will be later moved to > http://www.fedoraproject.org/wiki/Extras/Policy ) > > In an ideal world it would look a bit like > http://www.fedoraproject.org/wiki/Extras/Policy/WhoIsAllowedToModifyWhichPackages > e.g. a *short* section in the beginning that allows new contributors to > get an idea of our processes and rules without wasting to much time > reading details. Then a more detailed section witch describes the thing > (Why? How?) in detail. > This is currently a non trivial problem to solve. We lack the man power to modify the various problem packages ourselves, so the obvious solution is to let the owner do the work and the security team would only have to step in when the owner is MIA. As soon as the owner builds the new package is magically appears as part of FE. We don't have an easy way to determine when something has been pushed live. The right way to solve this problem is to send announcements for every FE update (security or not), and to let the security team edit security advisories to ensure the proper information is included. -- JB -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
