Extras Security Policy

Michael Schwendt bugs.michael at gmx.net
Thu Sep 8 21:14:36 UTC 2005

On Thu, 08 Sep 2005 12:57:48 +0200, Hans de Goede wrote:

> The moral, volunteers can and will do hard things, although accasionally 
> and security is not nescesarry all that hard.
> To conclude I would like to take back my previous statement:
>  > I'm in no way volunteering todo any of the work this will cause, not
>  > because I don't want to, but because I don't have the time.
> and to volunteer my (limited) time as a member of a FE security team, 
> who wants to join me?

I advise creating a concept first, then considering the creation of a
"security team" after some proof-of-concept security reports (either
tracking vulnerabilities in Extras or reporting unclosed ones). For
example, bugtraq list traffic alone can be close to useless if a
subscriber doesn't know every package which is in Extras. Some clever
automated searching for package names could be helpful. I also believe
that a real security team would benefit from access to vendor-sec
information, and that won't be available for a team of volunteers
without a track record.

More information about the fedora-extras-list mailing list