Disturbing lack of FE security updates announcements!
Ralf Corsepius
rc040203 at freenet.de
Thu Nov 9 14:17:51 UTC 2006
On Thu, 2006-11-09 at 13:41 +0100, Hans de Goede wrote:
> Josh Bressers wrote:
> >> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
> >>
> >> Hans de Goede schrieb:
> > This is currently a non trivial problem to solve. We lack the man power to
> > modify the various problem packages ourselves, so the obvious solution is
> > to let the owner do the work and the security team would only have to step
> > in when the owner is MIA. As soon as the owner builds the new package is
> > magically appears as part of FE. We don't have an easy way to determine
> > when something has been pushed live.
> >
> > The right way to solve this problem is to send announcements for every FE
> > update (security or not), and to let the security team edit security
> > advisories to ensure the proper information is included.
> >
>
> That is one solution, but given the rolling release model of FE, that are going to
> be a lot of announcements. Why not ask FE package maintainers to send a security
> announcement out when they push an update which has security implications / fixes?
Let me turn this thing around: Why should they?
I don't see why filing a PR and then giving maintainers a chance to
react should not work. Whether they will be able to react, whether they
will be able to react in reasonable time is a different question.
Ralf
More information about the fedora-extras-list
mailing list