Disturbing lack of FE security updates announcements!
Hans de Goede
j.w.r.degoede at hhs.nl
Thu Nov 9 12:41:36 UTC 2006
Josh Bressers wrote:
>> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
>>
>> Hans de Goede schrieb:
>>> This morning I've been working on fixing several security flaws in imlib2.
>>> When I was done with fixing and building these, I started writing a
>>> security update notification mail to send to fedora-package-announce at redhat.com
>>> In the usual format for updates send to this list.
>>> [...]
>>> FESco, can you please mandate sending a mail to fedora-package-announce at redhat.com for
>>> security related updates?
>> I agree with the idea. Hans, can you or maybe someone else (from the
>> Security SIG, sorry, Response Team?) work out a proposal an integrate it
>> into
>> http://www.fedoraproject.org/wiki/Extras/Schedule/SecurityAnnoucements
>> (that will be later moved to
>> http://www.fedoraproject.org/wiki/Extras/Policy )
>>
>> In an ideal world it would look a bit like
>> http://www.fedoraproject.org/wiki/Extras/Policy/WhoIsAllowedToModifyWhichPackages
>> e.g. a *short* section in the beginning that allows new contributors to
>> get an idea of our processes and rules without wasting to much time
>> reading details. Then a more detailed section witch describes the thing
>> (Why? How?) in detail.
>>
>
> This is currently a non trivial problem to solve. We lack the man power to
> modify the various problem packages ourselves, so the obvious solution is
> to let the owner do the work and the security team would only have to step
> in when the owner is MIA. As soon as the owner builds the new package is
> magically appears as part of FE. We don't have an easy way to determine
> when something has been pushed live.
>
> The right way to solve this problem is to send announcements for every FE
> update (security or not), and to let the security team edit security
> advisories to ensure the proper information is included.
>
That is one solution, but given the rolling release model of FE, that are going to
be a lot of announcements. Why not ask FE package maintainers to send a security
announcement out when they push an update which has security implications / fixes?
Regards,
Hans
More information about the fedora-extras-list
mailing list