Disturbing lack of FE security updates announcements!
Josh Bressers
bressers at redhat.com
Thu Nov 9 12:15:17 UTC 2006
> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
>
> Hans de Goede schrieb:
> > This morning I've been working on fixing several security flaws in imlib2.
> > When I was done with fixing and building these, I started writing a
> > security update notification mail to send to fedora-package-announce at redhat.com
> > In the usual format for updates send to this list.
> > [...]
> > FESco, can you please mandate sending a mail to fedora-package-announce at redhat.com for
> > security related updates?
>
> I agree with the idea. Hans, can you or maybe someone else (from the
> Security SIG, sorry, Response Team?) work out a proposal an integrate it
> into
> http://www.fedoraproject.org/wiki/Extras/Schedule/SecurityAnnoucements
> (that will be later moved to
> http://www.fedoraproject.org/wiki/Extras/Policy )
>
> In an ideal world it would look a bit like
> http://www.fedoraproject.org/wiki/Extras/Policy/WhoIsAllowedToModifyWhichPackages
> e.g. a *short* section in the beginning that allows new contributors to
> get an idea of our processes and rules without wasting to much time
> reading details. Then a more detailed section witch describes the thing
> (Why? How?) in detail.
>
This is currently a non trivial problem to solve. We lack the man power to
modify the various problem packages ourselves, so the obvious solution is
to let the owner do the work and the security team would only have to step
in when the owner is MIA. As soon as the owner builds the new package is
magically appears as part of FE. We don't have an easy way to determine
when something has been pushed live.
The right way to solve this problem is to send announcements for every FE
update (security or not), and to let the security team edit security
advisories to ensure the proper information is included.
--
JB
More information about the fedora-extras-list
mailing list