Security Response Team / EOL

Ralf Corsepius rc040203 at freenet.de
Fri Apr 28 15:50:36 UTC 2006 

On Fri, 2006-04-28 at 17:12 +0200, Michael Schwendt wrote:
> On Fri, 28 Apr 2006 14:29:49 +0200, Ralf Corsepius wrote:
> 
> > Or to put it differently: I think you are mixing 2 completely
> > independent issues:
> > * Regular maintenance of "legacy" packages the "nominal maintainer" in
> > current has abandoned to actively maintain.
> > * Security response. 
> 
> Well, I tried to separate these two. But others didn't like the idea of
> a "Fedora Extras Legacy Team" (= the combined set of Fedora Extras
> Contributors who still support old legacy branches). Currently I still
> don't _who_ would maintain old legacy packages, if not the Fedora Extras
> Security Response Team.

I think we are still talking pass each other. Let me try to give an
(worst case) example of what I am talking about:

"Maintainer" once submitted a package when FC3 was "devel", The package
had been build for FC2, too. Meanwhile, FC5 is out, devel is future FC6.
"Maintainer" has switched to actively using FC5 and therefore is not
actively using Fedora < 5 anymore.

He therefore releases upgrades for "FC5" and "devel", but skips anything
older than FC4. Now he has a sudden accident sending him to hospital for
2 months - Nobody notices.

Now, somebody (outside of Fedora) finds a severe exploit with this
package, affecting all versions from FE2 through "devel".

Questions: What will happen next, and who will perform which kind of
action?

First of all, somebody in Fedora will has got to know about this
exploit. As you can't expect packagers to follow all potential security
list, and given the fact security issues often a kept secret, getting to
know about security issues isn't necessarily easy.

Then, somebody will have to implement a fix, and to apply it. In some
case, such fixes will be available from external sources, in some cases
the packager will be able do develop a fix himself, but one can't rely
on either of these possibilities.

At this point the question of "Who does what?", i.e. coordination and
responsibilities, comes into play. ATM, Legacy should fix FE2, the
packager would fix FE5 and devel, may-be he would try to fix FE4 - FE3
would stay vulnerable.

As he had an accident, probably nothing would happen, until somebody
starts shouting loudly.

Therefore, I say: We need a "Security Task force", monitoring security
lists, assisting in providing fixes, taking actual action regardless of
package ownership, when necessary.

If one brings this thought to an end, you'll notice that the situation
becomes even more difficult, when considering packagers outside of FE,
such as Core or Legacy - In my opinion, it substantially questions this
split.

Ralf

More information about the fedora-extras-list mailing list