Extras Security Policy

Hans de Goede j.w.r.degoede at hhs.nl
Thu Sep 8 10:57:48 UTC 2005


Warren Togami wrote:
> Hans de Goede wrote:
> 
>>
>> Besides that we need a clear security policy to be written and approved
>> by fesco:
> 
> SNIP
> 
>>
>> We really need an FE security team which wathces over FE's security 
>> aspects.
> 
> 
> Generally everyone agrees about "need" ...
> 
>>
>> I'm in no way volunteering todo any of the work this will cause, not 
>> because I don't want to, but because I don't have the time.
>>
> 
> but security is *hard* for volunteers to do.  Nobody is accountable 
> because it isn't their job responsibility.  Volunteers generally do the 
> "fun" things first, and sometimes one-time harder problems.  This does 
> not describe what it takes to maintain eternal vigilance necessary of 
> people focused on security in the long-term.  I am talking here of 
> realistic expectations of volunteer capability.
> 

Agreed on the not accountable part. But I have to disagree on the *hard* 
part, security is very important, and making sure that FE is as secure 
as possible (with limited resources) can be "Fun", or atleast something 
to be proud of, which can be just as motivational as fun (I hope).


<offtopic>

I myself for example have picked up Glide3 when dropped from core, and 
in a horrible state, newer gcc's didn't like it all, it was last updates 
2001 and kept going with some patches after that (with the largest patch 
being written by me in the first place)

I took me weeks to get it in a suitable state for FC3 extras and months 
to get in in really good state. After working closely with upstream it 
now is in great state, with added support for older VooDoo's and being 
completly 64 bit clean.

So this was hard, yet I did it, because I didn't want Fedora to be a 
disappointment for everybody with VooDoo cards, so currently we might 
have the best Glide3 of all distros. Actually contacting other distros 
and advising them to drop there 2001 based Glide's and upgrade to the 
latest upstream is on my todo.

</offtopic>

The moral, volunteers can and will do hard things, although accasionally 
and security is not nescesarry all that hard.

To conclude I would like to take back my previous statement:
 > I'm in no way volunteering todo any of the work this will cause, not
 > because I don't want to, but because I don't have the time.

and to volunteer my (limited) time as a member of a FE security team, 
who wants to join me?

Regards,

Hans




More information about the fedora-extras-list mailing list