On Thu, 2006-11-09 at 13:41 +0100, Hans de Goede wrote: > Josh Bressers wrote: > >> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html > >> > >> Hans de Goede schrieb: > > This is currently a non trivial problem to solve. We lack the man power to > > modify the various problem packages ourselves, so the obvious solution is > > to let the owner do the work and the security team would only have to step > > in when the owner is MIA. As soon as the owner builds the new package is > > magically appears as part of FE. We don't have an easy way to determine > > when something has been pushed live. > > > > The right way to solve this problem is to send announcements for every FE > > update (security or not), and to let the security team edit security > > advisories to ensure the proper information is included. > > > > That is one solution, but given the rolling release model of FE, that are going to > be a lot of announcements. Why not ask FE package maintainers to send a security > announcement out when they push an update which has security implications / fixes? Let me turn this thing around: Why should they? I don't see why filing a PR and then giving maintainers a chance to react should not work. Whether they will be able to react, whether they will be able to react in reasonable time is a different question. Ralf -- fedora-extras-list mailing list fedora-extras-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-extras-list
