Core and Extras maintainers coordination

Paul Nasrat pnasrat at redhat.com
Fri Jul 22 21:54:44 UTC 2005


On Fri, 2005-07-22 at 14:24 -0700, Nathan Grennan wrote:
> On Fri, 2005-07-22 at 23:12 +0200, Michael Schwendt wrote:
> > Please, no! For asking questions, users ought to use mailing-lists. Please
> > let's not establish private e-mail contact as a way to contact a package
> > author, neither for bug reports nor for questions or RFEs. Over the past
> > weeks I've received a few private mails for packages in Fedora Extras,
> > where I only fixed a bug or requested an all-arch rebuild.
> 
>   I disagree, mailing lists aren't the best choice in all cases. Some
> information is only known by the package maintainer and using in the
> mailing list in all cases assumes the person happens to notice your
> question out of the flood of mail the mailing lists receive. Maybe the
> person is on vacation and disables delivery of mailing lists. Or because
> there has been so much said while they were away they can't be expected
> to catch up. Where as a direct e-mail will be much more likely to be
> read.

I really disagree- and if it is necessary then you can always CC the
person in your list mail to make sure but it should not be encouraged as
the common method of contact.  Maintainers are not a direct support
forum by promoting direct email you're likely to overwhelm people with
user support requests via personal email.

If someone is away - another person may know the answer so a list is
appropriate.  I understand fedora-devel is very noisy, but
fedora-maintainers and fedora-extras are pretty high quality lists.

If you don't want something to get lost - raise it in bugzilla, if it's
not appropriate for bugzilla raise it on the list or on #fedora-devel.

Contacting the developer directly should be a last resort.  

>   Security issues are one situation I can see some people wanting a more
> direct route. Personally I believe in full disclosure, but not all
> agree. Which brings up an interesting point. Bugzilla has a check box
> for security sensitive bugs. I am at least under the impression this
> limits access to the bug. I am curious if this works properly with
> extras since now not all maintainers are Red Hat employees.

This is really another conversation completely - I know various people
have been looking at the possibilities for extras security teams, etc.  

Really we have a couple of cases here:

Publically known vulnerability - in which case the developer should
notice anyway and rebuild. But as it's disclosed using the list is
better as someone else can push through ASAP.

Zero day where discoverer wants to co-ordinate with extras (either via
vendor-sec or directly).  In which case obviously confidentiality is key
to the issue - and we need processes for handling this.  This probably
does mean communicating via a response team who can escalate and
maintain embargo appropriately.  Communication with the developer
probably is done but this is a very special case and the standard
communication path.

Paul




More information about the fedora-extras-list mailing list