Ralf Corsepius wrote:
On Thu, 2006-11-09 at 13:41 +0100, Hans de Goede wrote:
Josh Bressers wrote:
https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
Hans de Goede schrieb:
This is currently a non trivial problem to solve. We lack the man power to
modify the various problem packages ourselves, so the obvious solution is
to let the owner do the work and the security team would only have to step
in when the owner is MIA. As soon as the owner builds the new package is
magically appears as part of FE. We don't have an easy way to determine
when something has been pushed live.
The right way to solve this problem is to send announcements for every FE
update (security or not), and to let the security team edit security
advisories to ensure the proper information is included.
That is one solution, but given the rolling release model of FE, that are going to
be a lot of announcements. Why not ask FE package maintainers to send a security
announcement out when they push an update which has security implications / fixes?
Let me turn this thing around: Why should they?
I don't see why filing a PR and then giving maintainers a chance to
react should not work. Whether they will be able to react, whether they
will be able to react in reasonable time is a different question.
How and by whom the issue is getting fixed is not the question / problem here. AFAIK
the fixing is done by the maintainer in a reasonable amount of time in most cases.
The problem I'm trying to address here is that there is no way for end users
to find out about FE package updates which are security related. This is BAD, hence my
suggestion to ask maintainers to send a security update announcement (in a predefined
format / template) to fedora-packages-announce when there is a security related update of
an FE package they (the maintainers) maintain.
Regards,
Hans
--
fedora-extras-list mailing list
fedora-extras-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-extras-list
