> >
> > The right way to solve this problem is to send announcements for every FE
> > update (security or not), and to let the security team edit security
> > advisories to ensure the proper information is included.
> >
>
> That is one solution, but given the rolling release model of FE, that are going to
> be a lot of announcements. Why not ask FE package maintainers to send a security
> announcement out when they push an update which has security implications / fixes?
>
I don't believe this will work, but if you think so, write up your idea
with some technical details and send it to the fedora security list for
discussion.
The fundamental flaw with this I see is what happens when someone decides
to ignore the request? With the sheer number of extras packages we don't
have a terribly good way of tracking what's getting fixed and when. As
crazy as this sounds, no security advisories is a better situation that half
assed security advisories. Security advisories should be all or none lest
we just create more problems than we already have.
I would rather see a lot of FE announcements than the current lack of
announcements. Right now I run a yum update, and I have no idea what the
extras updates are fixing. This annoys me to no end, and I would be very
surprised if I'm the only one.
--
JB
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
