Disturbing lack of FE security updates announcements!

Michel Salim michel.salim at gmail.com
Thu Nov 9 15:43:56 UTC 2006 

On 11/9/06, Hans de Goede <j.w.r.degoede at hhs.nl> wrote:
> Ralf Corsepius wrote:
> > On Thu, 2006-11-09 at 13:41 +0100, Hans de Goede wrote:
> >> Josh Bressers wrote:
> >>>> https://www.redhat.com/archives/fedora-extras-list/2006-November/msg00148.html
> >>>>
> >>>> Hans de Goede schrieb:
> >
> >>> This is currently a non trivial problem to solve.  We lack the man power to
> >>> modify the various problem packages ourselves, so the obvious solution is
> >>> to let the owner do the work and the security team would only have to step
> >>> in when the owner is MIA.  As soon as the owner builds the new package is
> >>> magically appears as part of FE.  We don't have an easy way to determine
> >>> when something has been pushed live.
> >>>
> >>> The right way to solve this problem is to send announcements for every FE
> >>> update (security or not), and to let the security team edit security
> >>> advisories to ensure the proper information is included.
> >>>
> >> That is one solution, but given the rolling release model of FE, that are going to
> >> be a lot of announcements. Why not ask FE package maintainers to send a security
> >> announcement out when they push an update which has security implications / fixes?
> > Let me turn this thing around: Why should they?
> >
> > I don't see why filing a PR and then giving maintainers a chance to
> > react should not work. Whether they will be able to react, whether they
> > will be able to react in reasonable time is a different question.
> >
>
> How and by whom the issue is getting fixed is not the question / problem here. AFAIK
> the fixing is done by the maintainer in a reasonable amount of time in most cases.
>
> The problem I'm trying to address here is that there is no way for end users
> to find out about FE package updates which are security related. This is BAD, hence my
> suggestion to ask maintainers to send a security update announcement (in a predefined
> format / template) to fedora-packages-announce when there is a security related update of
> an FE package they (the maintainers) maintain.
>
Having a Makefile target for it would be nice. So you do 'make
secbuild' or something similar, and then get prompted for a notice.


-- 
Michel Salim

Don't worry about avoiding temptation -- as you grow older, it starts
avoiding you.
                -- The Old Farmer's Almanac

More information about the fedora-extras-list mailing list