Extras Security Policy

Ralf Corsepius rc040203 at freenet.de
Thu Sep 8 16:10:54 UTC 2005

On Thu, 2005-09-08 at 16:01 +0200, Michael Schwendt wrote:
> On Thu, 08 Sep 2005 13:40:00 +0200, Christian.Iseli at licr.org wrote:
> > On the other hand, everything is out there, opened, in the CVS.  Nothing 
> > prevents any motivated volunteer to go ahead and fix a security issue in any 
> > package.  Sure, it'd probably be considered "impolite" by some.  Maybe we need 
> > a simple rule that says "Security patches can be applied by any maintainer on 
> > any package, in a first come first served basis, with proper advertisement on 
> > the FE list" or some such...
Well, I had not only been referring to security issue, I am also
referring to bugs, esp. packaging bugs (Broken deps, broken specs,
updates breaking ABIs/APIs, erroniously released (broken) packages

Right now, not even package withdrawal is possible.

> If at all => bugzilla!
As long as maintainers treat bugzilla as /dev/null, and do not react
upon notifying them on PM, this is not a solution.

> Security fixes may require version upgrades, and you don't want to
> interfere with what the primary package maintainer may be preparing and
> testing already while you go and modify his package.
> That's a box you don't want to open.

> Rather than "any packager touching any package", I'd prefer official
> co-maintainers who divide the package maintenance efforts and take
> care of a package beyond occasional security patches.
And I'd suggest a "task force" with "card blanche" access to all packages.


More information about the fedora-extras-list mailing list