Extras Security Policy
Hans de Goede
j.w.r.degoede at hhs.nl
Thu Sep 8 16:26:15 UTC 2005
Christian.Iseli at licr.org wrote:
> bugs.michael at gmx.net said:
>
>>If at all => bugzilla!
>
>
>>Security fixes may require version upgrades, and you don't want to interfere
>>with what the primary package maintainer may be preparing and testing already
>>while you go and modify his package.
>
>
>>That's a box you don't want to open.
>
>
>>Rather than "any packager touching any package", I'd prefer official
>>co-maintainers who divide the package maintenance efforts and take care of a
>>package beyond occasional security patches.
>
>
> In all such things, you usually need carrots and sticks. That rule would be
> the sticks part...
>
> How about:
> 1. Some automated process (watching bugtraq and friends), or some person,
> determines there is a potential security hole in some package.
> 2. Said process or person files a ticket with bugzilla, marked *security*
> 3. Bugzilla sends a mail to the FE-list, and a timer starts ticking
>
This is exactly my idea, I'll try to make some time to see if I can cook
up something which automagicly watches bugtraq and creates bugzilla
entries accordingly. The timer part I dunno about, it sounds like a good
idea, but I for one am not all that keen on adding yet more procedures
(yeah I like to contradict myself, get used to it :)
Regards,
Hans
More information about the fedora-extras-list
mailing list