Josh Bressers wrote:
The right way to solve this problem is to send announcements for every FE
update (security or not), and to let the security team edit security
advisories to ensure the proper information is included.
That is one solution, but given the rolling release model of FE, that are going to
be a lot of announcements. Why not ask FE package maintainers to send a security
announcement out when they push an update which has security implications / fixes?
I don't believe this will work, but if you think so, write up your idea
with some technical details and send it to the fedora security list for
discussion.
Hmm, I'm not all that fond on writing proposals esp. this early in the process, I'll
first let this thread run a couple of days to get some more input and then I'll try
to write something for FESco / the security list.
The fundamental flaw with this I see is what happens when someone decides
to ignore the request? With the sheer number of extras packages we don't
have a terribly good way of tracking what's getting fixed and when. As
crazy as this sounds, no security advisories is a better situation that half
assed security advisories. Security advisories should be all or none lest
we just create more problems than we already have.
Agreed.
Regards,
Hans
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
