Procedure for handling actively exploited security bugs with patches?
Jason L Tibbitts III
tibbs at math.uh.edu
Sat Feb 9 05:38:02 UTC 2008
>>>>> "BO" == Bryan O'Sullivan <bos at serpentine.com> writes:
BO> If a package maintainer doesn't turn a security fix around
BO> quickly, is it reasonable (albeit a bit less than totally polite)
BO> to step in and do the update oneself, assuming the ACLs permit it?
Well, we're all supposed to be helping each other here. Make sure
things get in bugzilla and are marked as security so the security team
sees it, and if you have a patch and you have access they I can't see
why you wouldn't at least commit it and do a scratch build. And after
testing, if there's no response from the maintainer and the issue is
actually being exploited then I don't see why you wouldn't push or ask
the security team to push.
- J<
More information about the fedora-devel-list
mailing list