Extras Security Policy

Aurelien Bompard gauret at free.fr
Thu Sep 8 19:07:38 UTC 2005

Hans de Goede wrote:
> As I already said just provide an empty package with a higher evr and
> virtual privates, bins could be replaced with a script temporary
> disabled because of security reasons.

Hmmm, let's take for example the latest openssh security flaw, which
concerns GSSAPI. I don't use GSSAPI on my server, and I would *hate* if
openssh was automatically replaced by a dummy package because of a security
flaw which does not affect me.

Of course, OpenSSH is highly critical, but the same thing could happen with
potentially critical pacakges in Extras, like Zope or Plone. For some
security problems which affect corner cases, it's much better not to
disable the service this way.

http://aurelien.bompard.org  ~~~~  Jabber : abompard at jabber.fr
One OS to hook them all
One browser to find them
One word processor to bring them all
And in monopoly, bind them...

More information about the fedora-extras-list mailing list