Extras Security Policy

Christian.Iseli at licr.org Christian.Iseli at licr.org
Thu Sep 8 15:06:01 UTC 2005

bugs.michael at gmx.net said:
> If at all => bugzilla!

> Security fixes may require version upgrades, and you don't want to interfere
> with what the primary package maintainer may be preparing and testing already
> while you go and modify his package.

> That's a box you don't want to open.

> Rather than "any packager touching any package", I'd prefer official
> co-maintainers who divide the package maintenance efforts and take care of a
> package beyond occasional security patches. 

In all such things, you usually need carrots and sticks.  That rule would be
the sticks part...

How about:
1. Some automated process (watching bugtraq and friends), or some person,
   determines there is a potential security hole in some package.
2. Said process or person files a ticket with bugzilla, marked *security*
3. Bugzilla sends a mail to the FE-list, and a timer starts ticking

then we have either (or possibly both):

4a. Maintainer puts a comment in ticket, saying he's working on the problem
4b. Other maintainers put comments and proposed patches in ticket

If 4a, all is well

If timer expires, and 4b exists, then apply 4b.
If timer expires and there are no comments, then temporarily disable the 


More information about the fedora-extras-list mailing list