Disturbing lack of FE security updates announcements!

[Hans de Goede]

Ralf Corsepius wrote:
> On Thu, 2006-11-09 at 13:41 +0100, Hans de Goede wrote:
>> Josh Bressers wrote:
>>>> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
>>>>
>>>> Hans de Goede schrieb:
>  
>>> This is currently a non trivial problem to solve.  We lack the man power to
>>> modify the various problem packages ourselves, so the obvious solution is
>>> to let the owner do the work and the security team would only have to step
>>> in when the owner is MIA.  As soon as the owner builds the new package is
>>> magically appears as part of FE.  We don't have an easy way to determine
>>> when something has been pushed live.
>>>
>>> The right way to solve this problem is to send announcements for every FE
>>> update (security or not), and to let the security team edit security
>>> advisories to ensure the proper information is included.
>>>
>> That is one solution, but given the rolling release model of FE, that are going to
>> be a lot of announcements. Why not ask FE package maintainers to send a security
>> announcement out when they push an update which has security implications / fixes?
> Let me turn this thing around: Why should they?
> 
> I don't see why filing a PR and then giving maintainers a chance to
> react should not work. Whether they will be able to react, whether they
> will be able to react in reasonable time is a different question.
> 

How and by whom the issue is getting fixed is not the question / problem here. AFAIK
the fixing is done by the maintainer in a reasonable amount of time in most cases.

The problem I'm trying to address here is that there is no way for end users
to find out about FE package updates which are security related. This is BAD, hence my
suggestion to ask maintainers to send a security update announcement (in a predefined
format / template) to fedora-packages-announce when there is a security related update of
an FE package they (the maintainers) maintain.

Regards,

Hans