Extras Security Policy
Christian.Iseli at licr.org
Christian.Iseli at licr.org
Thu Sep 8 15:06:01 UTC 2005
bugs.michael at gmx.net said:
> If at all => bugzilla!
> Security fixes may require version upgrades, and you don't want to interfere
> with what the primary package maintainer may be preparing and testing already
> while you go and modify his package.
> That's a box you don't want to open.
> Rather than "any packager touching any package", I'd prefer official
> co-maintainers who divide the package maintenance efforts and take care of a
> package beyond occasional security patches.
In all such things, you usually need carrots and sticks. That rule would be
the sticks part...
How about:
1. Some automated process (watching bugtraq and friends), or some person,
determines there is a potential security hole in some package.
2. Said process or person files a ticket with bugzilla, marked *security*
3. Bugzilla sends a mail to the FE-list, and a timer starts ticking
then we have either (or possibly both):
4a. Maintainer puts a comment in ticket, saying he's working on the problem
4b. Other maintainers put comments and proposed patches in ticket
If 4a, all is well
If timer expires, and 4b exists, then apply 4b.
If timer expires and there are no comments, then temporarily disable the
package.
Christian
More information about the fedora-extras-list
mailing list