Extras Security Policy

Hans de Goede j.w.r.degoede at hhs.nl
Thu Sep 8 16:26:15 UTC 2005

Christian.Iseli at licr.org wrote:
> bugs.michael at gmx.net said:
>>If at all => bugzilla!
>>Security fixes may require version upgrades, and you don't want to interfere
>>with what the primary package maintainer may be preparing and testing already
>>while you go and modify his package.
>>That's a box you don't want to open.
>>Rather than "any packager touching any package", I'd prefer official
>>co-maintainers who divide the package maintenance efforts and take care of a
>>package beyond occasional security patches. 
> In all such things, you usually need carrots and sticks.  That rule would be
> the sticks part...
> How about:
> 1. Some automated process (watching bugtraq and friends), or some person,
>    determines there is a potential security hole in some package.
> 2. Said process or person files a ticket with bugzilla, marked *security*
> 3. Bugzilla sends a mail to the FE-list, and a timer starts ticking

This is exactly my idea, I'll try to make some time to see if I can cook 
up something which automagicly watches bugtraq and creates bugzilla 
entries accordingly. The timer part I dunno about, it sounds like a good 
idea, but I for one am not all that keen on adding yet more procedures
(yeah I like to contradict myself, get used to it :)



More information about the fedora-extras-list mailing list