Extras Security Policy
Ralf Corsepius
rc040203 at freenet.de
Thu Sep 8 16:10:54 UTC 2005
On Thu, 2005-09-08 at 16:01 +0200, Michael Schwendt wrote:
> On Thu, 08 Sep 2005 13:40:00 +0200, Christian.Iseli at licr.org wrote:
>
> > On the other hand, everything is out there, opened, in the CVS. Nothing
> > prevents any motivated volunteer to go ahead and fix a security issue in any
> > package. Sure, it'd probably be considered "impolite" by some. Maybe we need
> > a simple rule that says "Security patches can be applied by any maintainer on
> > any package, in a first come first served basis, with proper advertisement on
> > the FE list" or some such...
Well, I had not only been referring to security issue, I am also
referring to bugs, esp. packaging bugs (Broken deps, broken specs,
updates breaking ABIs/APIs, erroniously released (broken) packages
etc.).
Right now, not even package withdrawal is possible.
> If at all => bugzilla!
As long as maintainers treat bugzilla as /dev/null, and do not react
upon notifying them on PM, this is not a solution.
> Security fixes may require version upgrades, and you don't want to
> interfere with what the primary package maintainer may be preparing and
> testing already while you go and modify his package.
>
> That's a box you don't want to open.
ACK.
> Rather than "any packager touching any package", I'd prefer official
> co-maintainers who divide the package maintenance efforts and take
> care of a package beyond occasional security patches.
And I'd suggest a "task force" with "card blanche" access to all packages.
Ralf
More information about the fedora-extras-list
mailing list