Extras Security Policy
Hans de Goede
j.w.r.degoede at hhs.nl
Thu Sep 8 10:57:48 UTC 2005
Warren Togami wrote:
> Hans de Goede wrote:
>
>>
>> Besides that we need a clear security policy to be written and approved
>> by fesco:
>
> SNIP
>
>>
>> We really need an FE security team which wathces over FE's security
>> aspects.
>
>
> Generally everyone agrees about "need" ...
>
>>
>> I'm in no way volunteering todo any of the work this will cause, not
>> because I don't want to, but because I don't have the time.
>>
>
> but security is *hard* for volunteers to do. Nobody is accountable
> because it isn't their job responsibility. Volunteers generally do the
> "fun" things first, and sometimes one-time harder problems. This does
> not describe what it takes to maintain eternal vigilance necessary of
> people focused on security in the long-term. I am talking here of
> realistic expectations of volunteer capability.
>
Agreed on the not accountable part. But I have to disagree on the *hard*
part, security is very important, and making sure that FE is as secure
as possible (with limited resources) can be "Fun", or atleast something
to be proud of, which can be just as motivational as fun (I hope).
<offtopic>
I myself for example have picked up Glide3 when dropped from core, and
in a horrible state, newer gcc's didn't like it all, it was last updates
2001 and kept going with some patches after that (with the largest patch
being written by me in the first place)
I took me weeks to get it in a suitable state for FC3 extras and months
to get in in really good state. After working closely with upstream it
now is in great state, with added support for older VooDoo's and being
completly 64 bit clean.
So this was hard, yet I did it, because I didn't want Fedora to be a
disappointment for everybody with VooDoo cards, so currently we might
have the best Glide3 of all distros. Actually contacting other distros
and advising them to drop there 2001 based Glide's and upgrade to the
latest upstream is on my todo.
</offtopic>
The moral, volunteers can and will do hard things, although accasionally
and security is not nescesarry all that hard.
To conclude I would like to take back my previous statement:
> I'm in no way volunteering todo any of the work this will cause, not
> because I don't want to, but because I don't have the time.
and to volunteer my (limited) time as a member of a FE security team,
who wants to join me?
Regards,
Hans
More information about the fedora-extras-list
mailing list