Re: Disturbing lack of FE security updates announcements!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Josh Bressers wrote:

https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html

Hans de Goede schrieb:

This morning I've been working on fixing several security flaws in imlib2.
When I was done with fixing and building these, I started writing a
security update notification mail to send to fedora-package-announce@xxxxxxxxxx
In the usual format for updates send to this list.
[...]
FESco, can you please mandate sending a mail to fedora-package-announce@xxxxxxxxxx for
security related updates?

I agree with the idea. Hans, can you or maybe someone else (from the
Security SIG, sorry, Response Team?) work out a proposal an integrate it
into
http://www.fedoraproject.org/wiki/Extras/Schedule/SecurityAnnoucements
(that will be later moved to
http://www.fedoraproject.org/wiki/Extras/Policy )

In an ideal world it would look a bit like
http://www.fedoraproject.org/wiki/Extras/Policy/WhoIsAllowedToModifyWhichPackages
e.g. a *short* section in the beginning that allows new contributors to
get an idea of our processes and rules without wasting to much time
reading details. Then a more detailed section witch describes the thing
(Why? How?) in detail.



This is currently a non trivial problem to solve.  We lack the man power to
modify the various problem packages ourselves, so the obvious solution is
to let the owner do the work and the security team would only have to step
in when the owner is MIA.  As soon as the owner builds the new package is
magically appears as part of FE.  We don't have an easy way to determine
when something has been pushed live.

The right way to solve this problem is to send announcements for every FE
update (security or not), and to let the security team edit security
advisories to ensure the proper information is included.



That is one solution, but given the rolling release model of FE, that are going to
be a lot of announcements. Why not ask FE package maintainers to send a security
announcement out when they push an update which has security implications / fixes?

Regards,

Hans

--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
[Index of Archives]     [Fedora General Discussion]     [Fedora Art]     [Fedora Docs]     [Fedora Package Review]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Backpacking]     [KDE Users]

  Powered by Linux